Analysis
-
max time kernel
154s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en -
submitted
08-09-2021 09:11
Behavioral task
behavioral1
Sample
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
Resource
win10-en
General
-
Target
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
-
Size
37KB
-
MD5
f0e1a89b03abdd826e7c90638f82bd63
-
SHA1
cd3134167e54900784b4cf6efcafe7bd2bc458ad
-
SHA256
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
-
SHA512
5274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
Malware Config
Extracted
njrat
im523
HacKed
127.0.0.1,127.0.0.1:3222
7e2377223e3439a6407c3c6896272242
-
reg_key
7e2377223e3439a6407c3c6896272242
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cheat.exepid process 2184 cheat.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
cheat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2377223e3439a6407c3c6896272242.exe cheat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2377223e3439a6407c3c6896272242.exe cheat.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cheat.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e2377223e3439a6407c3c6896272242 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .." cheat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7e2377223e3439a6407c3c6896272242 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .." cheat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cheat.exepid process 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe 2184 cheat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cheat.exepid process 2184 cheat.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
cheat.exedescription pid process Token: SeDebugPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe Token: 33 2184 cheat.exe Token: SeIncBasePriorityPrivilege 2184 cheat.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.execheat.exedescription pid process target process PID 3172 wrote to memory of 2184 3172 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 3172 wrote to memory of 2184 3172 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 3172 wrote to memory of 2184 3172 eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe cheat.exe PID 2184 wrote to memory of 2352 2184 cheat.exe netsh.exe PID 2184 wrote to memory of 2352 2184 cheat.exe netsh.exe PID 2184 wrote to memory of 2352 2184 cheat.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe"C:\Users\Admin\AppData\Local\Temp\eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cheat.exe" "cheat.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
f0e1a89b03abdd826e7c90638f82bd63
SHA1cd3134167e54900784b4cf6efcafe7bd2bc458ad
SHA256eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
SHA5125274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
f0e1a89b03abdd826e7c90638f82bd63
SHA1cd3134167e54900784b4cf6efcafe7bd2bc458ad
SHA256eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
SHA5125274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156
-
memory/2184-116-0x0000000000000000-mapping.dmp
-
memory/2184-119-0x00000000028B0000-0x00000000028B1000-memory.dmpFilesize
4KB
-
memory/2352-120-0x0000000000000000-mapping.dmp
-
memory/3172-115-0x0000000003130000-0x0000000003131000-memory.dmpFilesize
4KB