Analysis
-
max time kernel
149s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-09-2021 06:11
Behavioral task
behavioral1
Sample
a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe
Resource
win10-en
General
-
Target
a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe
-
Size
23KB
-
MD5
699ed9143001593010fcc6414b7a6379
-
SHA1
f07754021510d3bb3f4e204b61a9ca422d814745
-
SHA256
a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec
-
SHA512
aa4dba3b71885cc5457afb45e39fb164d4ffdcaa48bc91291925e44dc90b32258e4f656f4070f7e146a001eae021c51dfd6a414a15e906b7d58651d032e6454b
Malware Config
Extracted
njrat
0.7d
HacKed
maximus99.ddns.net:5555
cf7791e53cf2a759416f6396dcf7bd6a
-
reg_key
cf7791e53cf2a759416f6396dcf7bd6a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Explerer.exepid process 580 Explerer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Explerer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf7791e53cf2a759416f6396dcf7bd6a.exe Explerer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf7791e53cf2a759416f6396dcf7bd6a.exe Explerer.exe -
Loads dropped DLL 1 IoCs
Processes:
a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exepid process 1984 a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explerer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf7791e53cf2a759416f6396dcf7bd6a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Explerer.exe\" .." Explerer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cf7791e53cf2a759416f6396dcf7bd6a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Explerer.exe\" .." Explerer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Explerer.exedescription pid process Token: SeDebugPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe Token: 33 580 Explerer.exe Token: SeIncBasePriorityPrivilege 580 Explerer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exeExplerer.exedescription pid process target process PID 1984 wrote to memory of 580 1984 a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe Explerer.exe PID 1984 wrote to memory of 580 1984 a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe Explerer.exe PID 1984 wrote to memory of 580 1984 a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe Explerer.exe PID 1984 wrote to memory of 580 1984 a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe Explerer.exe PID 580 wrote to memory of 1464 580 Explerer.exe netsh.exe PID 580 wrote to memory of 1464 580 Explerer.exe netsh.exe PID 580 wrote to memory of 1464 580 Explerer.exe netsh.exe PID 580 wrote to memory of 1464 580 Explerer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe"C:\Users\Admin\AppData\Local\Temp\a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Explerer.exe"C:\Users\Admin\AppData\Local\Temp\Explerer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Explerer.exe" "Explerer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Explerer.exeMD5
699ed9143001593010fcc6414b7a6379
SHA1f07754021510d3bb3f4e204b61a9ca422d814745
SHA256a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec
SHA512aa4dba3b71885cc5457afb45e39fb164d4ffdcaa48bc91291925e44dc90b32258e4f656f4070f7e146a001eae021c51dfd6a414a15e906b7d58651d032e6454b
-
C:\Users\Admin\AppData\Local\Temp\Explerer.exeMD5
699ed9143001593010fcc6414b7a6379
SHA1f07754021510d3bb3f4e204b61a9ca422d814745
SHA256a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec
SHA512aa4dba3b71885cc5457afb45e39fb164d4ffdcaa48bc91291925e44dc90b32258e4f656f4070f7e146a001eae021c51dfd6a414a15e906b7d58651d032e6454b
-
\Users\Admin\AppData\Local\Temp\Explerer.exeMD5
699ed9143001593010fcc6414b7a6379
SHA1f07754021510d3bb3f4e204b61a9ca422d814745
SHA256a12e6089b9cd7c82c569c23f9f9bae41bd9b8838f6f901897346d27d6e3fa2ec
SHA512aa4dba3b71885cc5457afb45e39fb164d4ffdcaa48bc91291925e44dc90b32258e4f656f4070f7e146a001eae021c51dfd6a414a15e906b7d58651d032e6454b
-
memory/580-62-0x0000000000000000-mapping.dmp
-
memory/580-66-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/1464-67-0x0000000000000000-mapping.dmp
-
memory/1984-59-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1984-60-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB