Analysis
-
max time kernel
154s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-09-2021 09:11
Behavioral task
behavioral1
Sample
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
Resource
win10-en
General
-
Target
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
-
Size
37KB
-
MD5
f0e1a89b03abdd826e7c90638f82bd63
-
SHA1
cd3134167e54900784b4cf6efcafe7bd2bc458ad
-
SHA256
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
-
SHA512
5274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
Malware Config
Extracted
njrat
im523
HacKed
127.0.0.1,127.0.0.1:3222
7e2377223e3439a6407c3c6896272242
-
reg_key
7e2377223e3439a6407c3c6896272242
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cheat.exepid process 1404 cheat.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
cheat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2377223e3439a6407c3c6896272242.exe cheat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2377223e3439a6407c3c6896272242.exe cheat.exe -
Loads dropped DLL 1 IoCs
Processes:
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exepid process 1848 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cheat.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e2377223e3439a6407c3c6896272242 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .." cheat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7e2377223e3439a6407c3c6896272242 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .." cheat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cheat.exepid process 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe 1404 cheat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cheat.exepid process 1404 cheat.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
cheat.exedescription pid process Token: SeDebugPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe Token: 33 1404 cheat.exe Token: SeIncBasePriorityPrivilege 1404 cheat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.execheat.exedescription pid process target process PID 1848 wrote to memory of 1404 1848 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 1848 wrote to memory of 1404 1848 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 1848 wrote to memory of 1404 1848 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 1848 wrote to memory of 1404 1848 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 1404 wrote to memory of 1796 1404 cheat.exe netsh.exe PID 1404 wrote to memory of 1796 1404 cheat.exe netsh.exe PID 1404 wrote to memory of 1796 1404 cheat.exe netsh.exe PID 1404 wrote to memory of 1796 1404 cheat.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe"C:\Users\Admin\AppData\Local\Temp\eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cheat.exe" "cheat.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
f0e1a89b03abdd826e7c90638f82bd63
SHA1cd3134167e54900784b4cf6efcafe7bd2bc458ad
SHA256eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
SHA5125274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
f0e1a89b03abdd826e7c90638f82bd63
SHA1cd3134167e54900784b4cf6efcafe7bd2bc458ad
SHA256eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
SHA5125274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
-
\Users\Admin\AppData\Local\Temp\cheat.exeMD5
f0e1a89b03abdd826e7c90638f82bd63
SHA1cd3134167e54900784b4cf6efcafe7bd2bc458ad
SHA256eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
SHA5125274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
-
memory/1404-63-0x0000000000000000-mapping.dmp
-
memory/1404-67-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1796-68-0x0000000000000000-mapping.dmp
-
memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1848-61-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB