Analysis
-
max time kernel
160s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en -
submitted
06-09-2021 22:06
Behavioral task
behavioral1
Sample
41FEAB5AEC2ECE21D9A72911C82AE177.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
41FEAB5AEC2ECE21D9A72911C82AE177.exe
Resource
win10v20210408
General
-
Target
41FEAB5AEC2ECE21D9A72911C82AE177.exe
-
Size
23KB
-
MD5
41feab5aec2ece21d9a72911c82ae177
-
SHA1
53ae7e16b5ee073904a2b1f95ac85acbff93c00e
-
SHA256
56ceb4578f1fdeed73868bba77e46c0bbef65c101530bcef3a9257d15ec0b456
-
SHA512
cbe373277b85ad46c4fe70f990361a496e5b7152bb2ab7a868f1d37687bfc3cf5421ae894bd697c423da1c3210d412d3fd4c208f294493fb0d4d79e6a347342d
Malware Config
Extracted
njrat
0.7d
victima
8.tcp.ngrok.io:16534
03ef0a44d2c926e2d1efdd377b33c634
-
reg_key
03ef0a44d2c926e2d1efdd377b33c634
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
defender.exepid process 1164 defender.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03ef0a44d2c926e2d1efdd377b33c634.exe defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03ef0a44d2c926e2d1efdd377b33c634.exe defender.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\03ef0a44d2c926e2d1efdd377b33c634 = "\"C:\\Windows\\defender.exe\" .." defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\03ef0a44d2c926e2d1efdd377b33c634 = "\"C:\\Windows\\defender.exe\" .." defender.exe -
Drops file in Windows directory 1 IoCs
Processes:
41FEAB5AEC2ECE21D9A72911C82AE177.exedescription ioc process File created C:\Windows\defender.exe 41FEAB5AEC2ECE21D9A72911C82AE177.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
defender.exedescription pid process Token: SeDebugPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe Token: 33 1164 defender.exe Token: SeIncBasePriorityPrivilege 1164 defender.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
41FEAB5AEC2ECE21D9A72911C82AE177.exedefender.exedescription pid process target process PID 1648 wrote to memory of 1164 1648 41FEAB5AEC2ECE21D9A72911C82AE177.exe defender.exe PID 1648 wrote to memory of 1164 1648 41FEAB5AEC2ECE21D9A72911C82AE177.exe defender.exe PID 1648 wrote to memory of 1164 1648 41FEAB5AEC2ECE21D9A72911C82AE177.exe defender.exe PID 1648 wrote to memory of 1164 1648 41FEAB5AEC2ECE21D9A72911C82AE177.exe defender.exe PID 1164 wrote to memory of 1524 1164 defender.exe netsh.exe PID 1164 wrote to memory of 1524 1164 defender.exe netsh.exe PID 1164 wrote to memory of 1524 1164 defender.exe netsh.exe PID 1164 wrote to memory of 1524 1164 defender.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41FEAB5AEC2ECE21D9A72911C82AE177.exe"C:\Users\Admin\AppData\Local\Temp\41FEAB5AEC2ECE21D9A72911C82AE177.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\defender.exe"C:\Windows\defender.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\defender.exe" "defender.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\defender.exeMD5
41feab5aec2ece21d9a72911c82ae177
SHA153ae7e16b5ee073904a2b1f95ac85acbff93c00e
SHA25656ceb4578f1fdeed73868bba77e46c0bbef65c101530bcef3a9257d15ec0b456
SHA512cbe373277b85ad46c4fe70f990361a496e5b7152bb2ab7a868f1d37687bfc3cf5421ae894bd697c423da1c3210d412d3fd4c208f294493fb0d4d79e6a347342d
-
C:\Windows\defender.exeMD5
41feab5aec2ece21d9a72911c82ae177
SHA153ae7e16b5ee073904a2b1f95ac85acbff93c00e
SHA25656ceb4578f1fdeed73868bba77e46c0bbef65c101530bcef3a9257d15ec0b456
SHA512cbe373277b85ad46c4fe70f990361a496e5b7152bb2ab7a868f1d37687bfc3cf5421ae894bd697c423da1c3210d412d3fd4c208f294493fb0d4d79e6a347342d
-
memory/1164-55-0x0000000000000000-mapping.dmp
-
memory/1164-59-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/1524-60-0x0000000000000000-mapping.dmp
-
memory/1648-53-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1648-54-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB