Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-01-2021 10:28
Static task
static1
Behavioral task
behavioral1
Sample
download.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
download.exe
Resource
win10v20201028
General
-
Target
download.exe
-
Size
23KB
-
MD5
bb00c53e0777a63206a53389edd2cef0
-
SHA1
d6454601a8e1164527fdfbbe453a949e15a3f6d3
-
SHA256
60c9ff6f9a97ea33927a9806855d94c0294ee3a907dd82fe6b1ad89f25ff8b6c
-
SHA512
df52dbf2a8d094adfee388dc87502a1f3f481fd5b829eed11af441c4bd88abd1e3986557f9499ef83420b4234c87e74b164773c8d087e3261fa9158b8b9729c9
Malware Config
Extracted
njrat
0.7d
Eu
225551.duckdns.org:1177
1c67227486cb440a255655e419b1c7fc
-
reg_key
1c67227486cb440a255655e419b1c7fc
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Intel(R) Dynamic Technology Management Service.exepid process 1296 Intel(R) Dynamic Technology Management Service.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Intel(R) Dynamic Technology Management Service.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c67227486cb440a255655e419b1c7fc.exe Intel(R) Dynamic Technology Management Service.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c67227486cb440a255655e419b1c7fc.exe Intel(R) Dynamic Technology Management Service.exe -
Loads dropped DLL 1 IoCs
Processes:
download.exepid process 996 download.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Intel(R) Dynamic Technology Management Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\1c67227486cb440a255655e419b1c7fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Intel(R) Dynamic Technology Management Service.exe\" .." Intel(R) Dynamic Technology Management Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1c67227486cb440a255655e419b1c7fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Intel(R) Dynamic Technology Management Service.exe\" .." Intel(R) Dynamic Technology Management Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Intel(R) Dynamic Technology Management Service.exedescription pid process Token: SeDebugPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe Token: 33 1296 Intel(R) Dynamic Technology Management Service.exe Token: SeIncBasePriorityPrivilege 1296 Intel(R) Dynamic Technology Management Service.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
download.exeIntel(R) Dynamic Technology Management Service.exedescription pid process target process PID 996 wrote to memory of 1296 996 download.exe Intel(R) Dynamic Technology Management Service.exe PID 996 wrote to memory of 1296 996 download.exe Intel(R) Dynamic Technology Management Service.exe PID 996 wrote to memory of 1296 996 download.exe Intel(R) Dynamic Technology Management Service.exe PID 996 wrote to memory of 1296 996 download.exe Intel(R) Dynamic Technology Management Service.exe PID 1296 wrote to memory of 1452 1296 Intel(R) Dynamic Technology Management Service.exe netsh.exe PID 1296 wrote to memory of 1452 1296 Intel(R) Dynamic Technology Management Service.exe netsh.exe PID 1296 wrote to memory of 1452 1296 Intel(R) Dynamic Technology Management Service.exe netsh.exe PID 1296 wrote to memory of 1452 1296 Intel(R) Dynamic Technology Management Service.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Intel(R) Dynamic Technology Management Service.exe"C:\Users\Admin\AppData\Local\Temp\Intel(R) Dynamic Technology Management Service.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Intel(R) Dynamic Technology Management Service.exe" "Intel(R) Dynamic Technology Management Service.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Intel(R) Dynamic Technology Management Service.exeMD5
bb00c53e0777a63206a53389edd2cef0
SHA1d6454601a8e1164527fdfbbe453a949e15a3f6d3
SHA25660c9ff6f9a97ea33927a9806855d94c0294ee3a907dd82fe6b1ad89f25ff8b6c
SHA512df52dbf2a8d094adfee388dc87502a1f3f481fd5b829eed11af441c4bd88abd1e3986557f9499ef83420b4234c87e74b164773c8d087e3261fa9158b8b9729c9
-
C:\Users\Admin\AppData\Local\Temp\Intel(R) Dynamic Technology Management Service.exeMD5
bb00c53e0777a63206a53389edd2cef0
SHA1d6454601a8e1164527fdfbbe453a949e15a3f6d3
SHA25660c9ff6f9a97ea33927a9806855d94c0294ee3a907dd82fe6b1ad89f25ff8b6c
SHA512df52dbf2a8d094adfee388dc87502a1f3f481fd5b829eed11af441c4bd88abd1e3986557f9499ef83420b4234c87e74b164773c8d087e3261fa9158b8b9729c9
-
\Users\Admin\AppData\Local\Temp\Intel(R) Dynamic Technology Management Service.exeMD5
bb00c53e0777a63206a53389edd2cef0
SHA1d6454601a8e1164527fdfbbe453a949e15a3f6d3
SHA25660c9ff6f9a97ea33927a9806855d94c0294ee3a907dd82fe6b1ad89f25ff8b6c
SHA512df52dbf2a8d094adfee388dc87502a1f3f481fd5b829eed11af441c4bd88abd1e3986557f9499ef83420b4234c87e74b164773c8d087e3261fa9158b8b9729c9
-
memory/1296-3-0x0000000000000000-mapping.dmp
-
memory/1452-6-0x0000000000000000-mapping.dmp