Analysis
-
max time kernel
150s -
max time network
191s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-07-2021 11:37
Behavioral task
behavioral1
Sample
darknj.exe
Resource
win7v20210408
General
-
Target
darknj.exe
-
Size
692KB
-
MD5
2308cedb77f66e4a821d57e8ee1e08a5
-
SHA1
42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
-
SHA256
8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
-
SHA512
ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
secret92.ddns.net:8082
0c3398f1458
-
reg_key
0c3398f1458
-
splitter
@!#&^%$
Extracted
darkcomet
GG
secret92.ddns.net:82
DC_MUTEX-A6ET8RQ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oqyLUmi211Cb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
darknj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" darknj.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
NJ.EXEmsdcsc.exepid process 1008 NJ.EXE 436 msdcsc.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 744 notepad.exe -
Loads dropped DLL 4 IoCs
Processes:
darknj.exepid process 320 darknj.exe 320 darknj.exe 320 darknj.exe 320 darknj.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exedarknj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" darknj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 436 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
darknj.exemsdcsc.exeNJ.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 320 darknj.exe Token: SeSecurityPrivilege 320 darknj.exe Token: SeTakeOwnershipPrivilege 320 darknj.exe Token: SeLoadDriverPrivilege 320 darknj.exe Token: SeSystemProfilePrivilege 320 darknj.exe Token: SeSystemtimePrivilege 320 darknj.exe Token: SeProfSingleProcessPrivilege 320 darknj.exe Token: SeIncBasePriorityPrivilege 320 darknj.exe Token: SeCreatePagefilePrivilege 320 darknj.exe Token: SeBackupPrivilege 320 darknj.exe Token: SeRestorePrivilege 320 darknj.exe Token: SeShutdownPrivilege 320 darknj.exe Token: SeDebugPrivilege 320 darknj.exe Token: SeSystemEnvironmentPrivilege 320 darknj.exe Token: SeChangeNotifyPrivilege 320 darknj.exe Token: SeRemoteShutdownPrivilege 320 darknj.exe Token: SeUndockPrivilege 320 darknj.exe Token: SeManageVolumePrivilege 320 darknj.exe Token: SeImpersonatePrivilege 320 darknj.exe Token: SeCreateGlobalPrivilege 320 darknj.exe Token: 33 320 darknj.exe Token: 34 320 darknj.exe Token: 35 320 darknj.exe Token: SeIncreaseQuotaPrivilege 436 msdcsc.exe Token: SeSecurityPrivilege 436 msdcsc.exe Token: SeTakeOwnershipPrivilege 436 msdcsc.exe Token: SeLoadDriverPrivilege 436 msdcsc.exe Token: SeSystemProfilePrivilege 436 msdcsc.exe Token: SeSystemtimePrivilege 436 msdcsc.exe Token: SeProfSingleProcessPrivilege 436 msdcsc.exe Token: SeIncBasePriorityPrivilege 436 msdcsc.exe Token: SeCreatePagefilePrivilege 436 msdcsc.exe Token: SeBackupPrivilege 436 msdcsc.exe Token: SeRestorePrivilege 436 msdcsc.exe Token: SeShutdownPrivilege 436 msdcsc.exe Token: SeDebugPrivilege 436 msdcsc.exe Token: SeSystemEnvironmentPrivilege 436 msdcsc.exe Token: SeChangeNotifyPrivilege 436 msdcsc.exe Token: SeRemoteShutdownPrivilege 436 msdcsc.exe Token: SeUndockPrivilege 436 msdcsc.exe Token: SeManageVolumePrivilege 436 msdcsc.exe Token: SeImpersonatePrivilege 436 msdcsc.exe Token: SeCreateGlobalPrivilege 436 msdcsc.exe Token: 33 436 msdcsc.exe Token: 34 436 msdcsc.exe Token: 35 436 msdcsc.exe Token: SeDebugPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE Token: SeIncBasePriorityPrivilege 1008 NJ.EXE Token: 33 1008 NJ.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 436 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
darknj.execmd.execmd.exemsdcsc.exedescription pid process target process PID 320 wrote to memory of 1640 320 darknj.exe cmd.exe PID 320 wrote to memory of 1640 320 darknj.exe cmd.exe PID 320 wrote to memory of 1640 320 darknj.exe cmd.exe PID 320 wrote to memory of 1640 320 darknj.exe cmd.exe PID 320 wrote to memory of 1572 320 darknj.exe cmd.exe PID 320 wrote to memory of 1572 320 darknj.exe cmd.exe PID 320 wrote to memory of 1572 320 darknj.exe cmd.exe PID 320 wrote to memory of 1572 320 darknj.exe cmd.exe PID 1572 wrote to memory of 824 1572 cmd.exe attrib.exe PID 1572 wrote to memory of 824 1572 cmd.exe attrib.exe PID 1572 wrote to memory of 824 1572 cmd.exe attrib.exe PID 1572 wrote to memory of 824 1572 cmd.exe attrib.exe PID 1640 wrote to memory of 1684 1640 cmd.exe attrib.exe PID 1640 wrote to memory of 1684 1640 cmd.exe attrib.exe PID 1640 wrote to memory of 1684 1640 cmd.exe attrib.exe PID 1640 wrote to memory of 1684 1640 cmd.exe attrib.exe PID 320 wrote to memory of 1008 320 darknj.exe NJ.EXE PID 320 wrote to memory of 1008 320 darknj.exe NJ.EXE PID 320 wrote to memory of 1008 320 darknj.exe NJ.EXE PID 320 wrote to memory of 1008 320 darknj.exe NJ.EXE PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 744 320 darknj.exe notepad.exe PID 320 wrote to memory of 436 320 darknj.exe msdcsc.exe PID 320 wrote to memory of 436 320 darknj.exe msdcsc.exe PID 320 wrote to memory of 436 320 darknj.exe msdcsc.exe PID 320 wrote to memory of 436 320 darknj.exe msdcsc.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe PID 436 wrote to memory of 1940 436 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1684 attrib.exe 824 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\darknj.exe"C:\Users\Admin\AppData\Local\Temp\darknj.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXE"C:\Users\Admin\AppData\Local\Temp\NJ.EXE"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
7033b44842fd35925e857497f9cb1653
SHA10db1543f4af1b37e9d3d93b75f5d8329d6337b3f
SHA256381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
SHA512f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
7033b44842fd35925e857497f9cb1653
SHA10db1543f4af1b37e9d3d93b75f5d8329d6337b3f
SHA256381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
SHA512f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
2308cedb77f66e4a821d57e8ee1e08a5
SHA142ddaf9aef498e366fecdad6b2acbbe9d9d0d47c
SHA2568eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
SHA512ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77
-
\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
7033b44842fd35925e857497f9cb1653
SHA10db1543f4af1b37e9d3d93b75f5d8329d6337b3f
SHA256381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
SHA512f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f
-
\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
7033b44842fd35925e857497f9cb1653
SHA10db1543f4af1b37e9d3d93b75f5d8329d6337b3f
SHA256381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
SHA512f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f
-
memory/320-60-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/320-59-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/436-82-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/436-76-0x0000000000000000-mapping.dmp
-
memory/744-72-0x0000000000000000-mapping.dmp
-
memory/744-77-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/824-63-0x0000000000000000-mapping.dmp
-
memory/1008-67-0x0000000000000000-mapping.dmp
-
memory/1008-71-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/1572-62-0x0000000000000000-mapping.dmp
-
memory/1640-61-0x0000000000000000-mapping.dmp
-
memory/1684-64-0x0000000000000000-mapping.dmp
-
memory/1940-80-0x0000000000000000-mapping.dmp
-
memory/1940-83-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB