Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-08-2021 00:41
Static task
static1
Behavioral task
behavioral1
Sample
906D7922A3F3A0CC91BBD911996C92F2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
906D7922A3F3A0CC91BBD911996C92F2.exe
Resource
win10v20210408
General
-
Target
906D7922A3F3A0CC91BBD911996C92F2.exe
-
Size
296KB
-
MD5
906d7922a3f3a0cc91bbd911996c92f2
-
SHA1
17039ace019e1b1e403bd94a3d628abdb79d6d15
-
SHA256
99f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9
-
SHA512
d6424bd66b4223419c70bd0e70a8615e2a2fb26f798fa93e9a7aa9f9610f0382ac6fa22238375d722c93d4dbc712db7b3789a7fd773987a1e77d73f7bd0ceb53
Malware Config
Extracted
njrat
0.7d
HacKed
doza122.con-ip.com:5552
68a4a42151e9c45f922a140954d9441d
-
reg_key
68a4a42151e9c45f922a140954d9441d
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
win..exepid process 596 win..exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
win..exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68a4a42151e9c45f922a140954d9441d.exe win..exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68a4a42151e9c45f922a140954d9441d.exe win..exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
win..exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\68a4a42151e9c45f922a140954d9441d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win..exe\" .." win..exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68a4a42151e9c45f922a140954d9441d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win..exe\" .." win..exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
win..exedescription pid process Token: SeDebugPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe Token: 33 596 win..exe Token: SeIncBasePriorityPrivilege 596 win..exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
906D7922A3F3A0CC91BBD911996C92F2.exewin..exedescription pid process target process PID 1836 wrote to memory of 596 1836 906D7922A3F3A0CC91BBD911996C92F2.exe win..exe PID 1836 wrote to memory of 596 1836 906D7922A3F3A0CC91BBD911996C92F2.exe win..exe PID 1836 wrote to memory of 596 1836 906D7922A3F3A0CC91BBD911996C92F2.exe win..exe PID 596 wrote to memory of 432 596 win..exe netsh.exe PID 596 wrote to memory of 432 596 win..exe netsh.exe PID 596 wrote to memory of 432 596 win..exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\906D7922A3F3A0CC91BBD911996C92F2.exe"C:\Users\Admin\AppData\Local\Temp\906D7922A3F3A0CC91BBD911996C92F2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\win..exe"C:\Users\Admin\AppData\Local\Temp\win..exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\win..exe" "win..exe" ENABLE3⤵PID:432
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
906d7922a3f3a0cc91bbd911996c92f2
SHA117039ace019e1b1e403bd94a3d628abdb79d6d15
SHA25699f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9
SHA512d6424bd66b4223419c70bd0e70a8615e2a2fb26f798fa93e9a7aa9f9610f0382ac6fa22238375d722c93d4dbc712db7b3789a7fd773987a1e77d73f7bd0ceb53
-
MD5
906d7922a3f3a0cc91bbd911996c92f2
SHA117039ace019e1b1e403bd94a3d628abdb79d6d15
SHA25699f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9
SHA512d6424bd66b4223419c70bd0e70a8615e2a2fb26f798fa93e9a7aa9f9610f0382ac6fa22238375d722c93d4dbc712db7b3789a7fd773987a1e77d73f7bd0ceb53