Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en -
submitted
04-09-2021 14:46
Static task
static1
Behavioral task
behavioral1
Sample
32B067ACA0339443A8CC7BE1A9398619.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
32B067ACA0339443A8CC7BE1A9398619.exe
Resource
win10-en
General
-
Target
32B067ACA0339443A8CC7BE1A9398619.exe
-
Size
245KB
-
MD5
32b067aca0339443a8cc7be1a9398619
-
SHA1
8a2fecd5f8e83366528d6d30c1ed515b68f515b1
-
SHA256
7e6dbe74cacc0af41a546d4c6de9a50a14556dd9aa1eb604f2f5b1b8aa947429
-
SHA512
d43b9c7972d73ac093926cb966af6c798d43721298e6f4191d87a3918c03b9ecf3495f14e75aeff41a4bcf55ff1c5e65efbcf6e5691f803bb509efb461b6ae8d
Malware Config
Extracted
njrat
0.7d
testvictim
77.247.127.72:189
0a04621658b925eb76dce3df766c44fe
-
reg_key
0a04621658b925eb76dce3df766c44fe
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
faqs.exepid process 2124 faqs.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
faqs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a04621658b925eb76dce3df766c44fe.exe faqs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a04621658b925eb76dce3df766c44fe.exe faqs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
faqs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0a04621658b925eb76dce3df766c44fe = "\"C:\\Windows\\faqs.exe\" .." faqs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a04621658b925eb76dce3df766c44fe = "\"C:\\Windows\\faqs.exe\" .." faqs.exe -
Drops file in Windows directory 1 IoCs
Processes:
32B067ACA0339443A8CC7BE1A9398619.exedescription ioc process File created C:\Windows\faqs.exe 32B067ACA0339443A8CC7BE1A9398619.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
faqs.exedescription pid process Token: SeDebugPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe Token: 33 2124 faqs.exe Token: SeIncBasePriorityPrivilege 2124 faqs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
32B067ACA0339443A8CC7BE1A9398619.exefaqs.exedescription pid process target process PID 3936 wrote to memory of 2124 3936 32B067ACA0339443A8CC7BE1A9398619.exe faqs.exe PID 3936 wrote to memory of 2124 3936 32B067ACA0339443A8CC7BE1A9398619.exe faqs.exe PID 3936 wrote to memory of 2124 3936 32B067ACA0339443A8CC7BE1A9398619.exe faqs.exe PID 2124 wrote to memory of 1224 2124 faqs.exe netsh.exe PID 2124 wrote to memory of 1224 2124 faqs.exe netsh.exe PID 2124 wrote to memory of 1224 2124 faqs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32B067ACA0339443A8CC7BE1A9398619.exe"C:\Users\Admin\AppData\Local\Temp\32B067ACA0339443A8CC7BE1A9398619.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\faqs.exe"C:\Windows\faqs.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\faqs.exe" "faqs.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\faqs.exeMD5
32b067aca0339443a8cc7be1a9398619
SHA18a2fecd5f8e83366528d6d30c1ed515b68f515b1
SHA2567e6dbe74cacc0af41a546d4c6de9a50a14556dd9aa1eb604f2f5b1b8aa947429
SHA512d43b9c7972d73ac093926cb966af6c798d43721298e6f4191d87a3918c03b9ecf3495f14e75aeff41a4bcf55ff1c5e65efbcf6e5691f803bb509efb461b6ae8d
-
C:\Windows\faqs.exeMD5
32b067aca0339443a8cc7be1a9398619
SHA18a2fecd5f8e83366528d6d30c1ed515b68f515b1
SHA2567e6dbe74cacc0af41a546d4c6de9a50a14556dd9aa1eb604f2f5b1b8aa947429
SHA512d43b9c7972d73ac093926cb966af6c798d43721298e6f4191d87a3918c03b9ecf3495f14e75aeff41a4bcf55ff1c5e65efbcf6e5691f803bb509efb461b6ae8d
-
memory/1224-130-0x0000000000000000-mapping.dmp
-
memory/2124-121-0x0000000000000000-mapping.dmp
-
memory/2124-129-0x00000000050E0000-0x000000000517C000-memory.dmpFilesize
624KB
-
memory/2124-131-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/2124-132-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2124-133-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/3936-119-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/3936-120-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/3936-118-0x0000000002C00000-0x0000000002C17000-memory.dmpFilesize
92KB
-
memory/3936-117-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/3936-115-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB