Analysis
-
max time kernel
153s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-09-2021 23:02
Static task
static1
Behavioral task
behavioral1
Sample
5916EAC72F7396EDFF49CAD9DCD8D80C.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
5916EAC72F7396EDFF49CAD9DCD8D80C.exe
Resource
win10-en
General
-
Target
5916EAC72F7396EDFF49CAD9DCD8D80C.exe
-
Size
120KB
-
MD5
5916eac72f7396edff49cad9dcd8d80c
-
SHA1
8e49c5a46c86c239ea314513ef80e0e275541e19
-
SHA256
b13fbd200b38f02c0278e54483e641a2cfb41acd1a90bed78ac8791d0c1cf5b2
-
SHA512
e584db22f6f01714f32061846d4ee26e400889c984aef744a73a66a5f4b1a6bace6906f55b48bb45a7aaa8677f0a51b8aabc9536216632abaa0480983038dff9
Malware Config
Extracted
njrat
v2.0
HacKed
107.152.99.41:54893
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tmp92ED.tmpjmboysofpwfkab.exetmp957D.tmpjihmokkdytlmx.exepid process 2020 tmp92ED.tmpjmboysofpwfkab.exe 1916 tmp957D.tmpjihmokkdytlmx.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 6 IoCs
Processes:
tmp957D.tmpjihmokkdytlmx.exetmp92ED.tmpjmboysofpwfkab.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57fb05ec5f5f4ec817027bcb7278a5fa.exe tmp957D.tmpjihmokkdytlmx.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe tmp92ED.tmpjmboysofpwfkab.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe tmp92ED.tmpjmboysofpwfkab.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk tmp92ED.tmpjmboysofpwfkab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57fb05ec5f5f4ec817027bcb7278a5fa.exe tmp957D.tmpjihmokkdytlmx.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
tmp957D.tmpjihmokkdytlmx.exetmp92ED.tmpjmboysofpwfkab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\57fb05ec5f5f4ec817027bcb7278a5fa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp957D.tmpjihmokkdytlmx.exe\" .." tmp957D.tmpjihmokkdytlmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57fb05ec5f5f4ec817027bcb7278a5fa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp957D.tmpjihmokkdytlmx.exe\" .." tmp957D.tmpjihmokkdytlmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp92ED.tmpjmboysofpwfkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp92ED.tmpjmboysofpwfkab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp92ED.tmpjmboysofpwfkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp92ED.tmpjmboysofpwfkab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tmp957D.tmpjihmokkdytlmx.exetmp92ED.tmpjmboysofpwfkab.exedescription pid process Token: SeDebugPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeDebugPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe Token: 33 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: SeIncBasePriorityPrivilege 2020 tmp92ED.tmpjmboysofpwfkab.exe Token: 33 1916 tmp957D.tmpjihmokkdytlmx.exe Token: SeIncBasePriorityPrivilege 1916 tmp957D.tmpjihmokkdytlmx.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5916EAC72F7396EDFF49CAD9DCD8D80C.exetmp957D.tmpjihmokkdytlmx.exetmp92ED.tmpjmboysofpwfkab.exedescription pid process target process PID 736 wrote to memory of 2020 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp92ED.tmpjmboysofpwfkab.exe PID 736 wrote to memory of 2020 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp92ED.tmpjmboysofpwfkab.exe PID 736 wrote to memory of 2020 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp92ED.tmpjmboysofpwfkab.exe PID 736 wrote to memory of 2020 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp92ED.tmpjmboysofpwfkab.exe PID 736 wrote to memory of 1916 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp957D.tmpjihmokkdytlmx.exe PID 736 wrote to memory of 1916 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp957D.tmpjihmokkdytlmx.exe PID 736 wrote to memory of 1916 736 5916EAC72F7396EDFF49CAD9DCD8D80C.exe tmp957D.tmpjihmokkdytlmx.exe PID 1916 wrote to memory of 336 1916 tmp957D.tmpjihmokkdytlmx.exe netsh.exe PID 1916 wrote to memory of 336 1916 tmp957D.tmpjihmokkdytlmx.exe netsh.exe PID 1916 wrote to memory of 336 1916 tmp957D.tmpjihmokkdytlmx.exe netsh.exe PID 2020 wrote to memory of 380 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 380 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 380 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 380 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 2012 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 2012 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 2012 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe PID 2020 wrote to memory of 2012 2020 tmp92ED.tmpjmboysofpwfkab.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 380 attrib.exe 2012 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5916EAC72F7396EDFF49CAD9DCD8D80C.exe"C:\Users\Admin\AppData\Local\Temp\5916EAC72F7396EDFF49CAD9DCD8D80C.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmpjmboysofpwfkab.exe"C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmpjmboysofpwfkab.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\tmp957D.tmpjihmokkdytlmx.exe"C:\Users\Admin\AppData\Local\Temp\tmp957D.tmpjihmokkdytlmx.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp957D.tmpjihmokkdytlmx.exe" "tmp957D.tmpjihmokkdytlmx.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmpjmboysofpwfkab.exeMD5
e848c5e3b3e7fb19f0db58fffce478e4
SHA14beade72e7848e21517c2bf4771d27b8dcf7eb48
SHA25653d8b02ff494749adcb4b02524041a9bc3d3cdc2f435904eee48ae318dc211d5
SHA5126492d6aa1707841e32853e251c0bc62e6f55c505d38fc21d96edf2706959f114dab7233d8f2616aaf032cf8ba23f7cf5187d9955cf39bfec574fe37187903f0c
-
C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmpjmboysofpwfkab.exeMD5
e848c5e3b3e7fb19f0db58fffce478e4
SHA14beade72e7848e21517c2bf4771d27b8dcf7eb48
SHA25653d8b02ff494749adcb4b02524041a9bc3d3cdc2f435904eee48ae318dc211d5
SHA5126492d6aa1707841e32853e251c0bc62e6f55c505d38fc21d96edf2706959f114dab7233d8f2616aaf032cf8ba23f7cf5187d9955cf39bfec574fe37187903f0c
-
C:\Users\Admin\AppData\Local\Temp\tmp957D.tmpjihmokkdytlmx.exeMD5
90fe7a4b04c23033119dafdf2851715e
SHA180049ce46d24990862d7010e9392d276d7902b75
SHA2561ab2126c5d97b51dd1f735fdadc31488f2500d37425c7a42fe148dcf95971a07
SHA512c137d8e7d465d22774bdaff7541fea50dde926394260f2668610ce68df3bf441a63114e40ede2391041c6700cf878ad0cba582cfdd9d94504d9deaddea74a08f
-
C:\Users\Admin\AppData\Local\Temp\tmp957D.tmpjihmokkdytlmx.exeMD5
90fe7a4b04c23033119dafdf2851715e
SHA180049ce46d24990862d7010e9392d276d7902b75
SHA2561ab2126c5d97b51dd1f735fdadc31488f2500d37425c7a42fe148dcf95971a07
SHA512c137d8e7d465d22774bdaff7541fea50dde926394260f2668610ce68df3bf441a63114e40ede2391041c6700cf878ad0cba582cfdd9d94504d9deaddea74a08f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeMD5
e848c5e3b3e7fb19f0db58fffce478e4
SHA14beade72e7848e21517c2bf4771d27b8dcf7eb48
SHA25653d8b02ff494749adcb4b02524041a9bc3d3cdc2f435904eee48ae318dc211d5
SHA5126492d6aa1707841e32853e251c0bc62e6f55c505d38fc21d96edf2706959f114dab7233d8f2616aaf032cf8ba23f7cf5187d9955cf39bfec574fe37187903f0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exeMD5
e848c5e3b3e7fb19f0db58fffce478e4
SHA14beade72e7848e21517c2bf4771d27b8dcf7eb48
SHA25653d8b02ff494749adcb4b02524041a9bc3d3cdc2f435904eee48ae318dc211d5
SHA5126492d6aa1707841e32853e251c0bc62e6f55c505d38fc21d96edf2706959f114dab7233d8f2616aaf032cf8ba23f7cf5187d9955cf39bfec574fe37187903f0c
-
memory/336-72-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB
-
memory/336-71-0x0000000000000000-mapping.dmp
-
memory/380-73-0x0000000000000000-mapping.dmp
-
memory/736-60-0x0000000001EB0000-0x0000000001EB2000-memory.dmpFilesize
8KB
-
memory/1916-68-0x0000000002080000-0x0000000002082000-memory.dmpFilesize
8KB
-
memory/1916-70-0x000007FEF2B00000-0x000007FEF3B96000-memory.dmpFilesize
16.6MB
-
memory/1916-63-0x0000000000000000-mapping.dmp
-
memory/1916-77-0x0000000002086000-0x00000000020A5000-memory.dmpFilesize
124KB
-
memory/2012-74-0x0000000000000000-mapping.dmp
-
memory/2020-67-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/2020-69-0x0000000002080000-0x0000000002081000-memory.dmpFilesize
4KB
-
memory/2020-61-0x0000000000000000-mapping.dmp