Analysis
-
max time kernel
152s -
max time network
171s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-09-2021 12:36
Static task
static1
Behavioral task
behavioral1
Sample
4.ex.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4.ex.exe
Resource
win10-en
General
-
Target
4.ex.exe
-
Size
23KB
-
MD5
5a5913f5e716b5e77308de165ec9cad2
-
SHA1
475542ce79804f08f5e46127228b48cf95d08786
-
SHA256
cb002303aebb1d369d369c47c96a27ee5d6597ed6cf7693ad633f573da25f4cd
-
SHA512
3e77b4cd2e7380ab3fbd61f432613c3ace3583e88d21deae14c409f20bd2fca84f2054e3cfd91ca75ecbf99829398d322425e978fa02d99c424a1d2057ae3ff5
Malware Config
Extracted
njrat
0.7d
System Exporer
subscribedao3001.hopto.org:3001
ab812c7bd0447f8878bc9c41022ce9f9
-
reg_key
ab812c7bd0447f8878bc9c41022ce9f9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System Exporer.exepid process 1232 System Exporer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System Exporer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ab812c7bd0447f8878bc9c41022ce9f9.exe System Exporer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ab812c7bd0447f8878bc9c41022ce9f9.exe System Exporer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System Exporer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ab812c7bd0447f8878bc9c41022ce9f9 = "\"C:\\Windows\\System Exporer.exe\" .." System Exporer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ab812c7bd0447f8878bc9c41022ce9f9 = "\"C:\\Windows\\System Exporer.exe\" .." System Exporer.exe -
Drops file in Windows directory 1 IoCs
Processes:
4.ex.exedescription ioc process File created C:\Windows\System Exporer.exe 4.ex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
System Exporer.exedescription pid process Token: SeDebugPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe Token: 33 1232 System Exporer.exe Token: SeIncBasePriorityPrivilege 1232 System Exporer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4.ex.exeSystem Exporer.exedescription pid process target process PID 1640 wrote to memory of 1232 1640 4.ex.exe System Exporer.exe PID 1640 wrote to memory of 1232 1640 4.ex.exe System Exporer.exe PID 1640 wrote to memory of 1232 1640 4.ex.exe System Exporer.exe PID 1640 wrote to memory of 1232 1640 4.ex.exe System Exporer.exe PID 1232 wrote to memory of 1212 1232 System Exporer.exe netsh.exe PID 1232 wrote to memory of 1212 1232 System Exporer.exe netsh.exe PID 1232 wrote to memory of 1212 1232 System Exporer.exe netsh.exe PID 1232 wrote to memory of 1212 1232 System Exporer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4.ex.exe"C:\Users\Admin\AppData\Local\Temp\4.ex.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System Exporer.exe"C:\Windows\System Exporer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\System Exporer.exe" "System Exporer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System Exporer.exeMD5
5a5913f5e716b5e77308de165ec9cad2
SHA1475542ce79804f08f5e46127228b48cf95d08786
SHA256cb002303aebb1d369d369c47c96a27ee5d6597ed6cf7693ad633f573da25f4cd
SHA5123e77b4cd2e7380ab3fbd61f432613c3ace3583e88d21deae14c409f20bd2fca84f2054e3cfd91ca75ecbf99829398d322425e978fa02d99c424a1d2057ae3ff5
-
C:\Windows\System Exporer.exeMD5
5a5913f5e716b5e77308de165ec9cad2
SHA1475542ce79804f08f5e46127228b48cf95d08786
SHA256cb002303aebb1d369d369c47c96a27ee5d6597ed6cf7693ad633f573da25f4cd
SHA5123e77b4cd2e7380ab3fbd61f432613c3ace3583e88d21deae14c409f20bd2fca84f2054e3cfd91ca75ecbf99829398d322425e978fa02d99c424a1d2057ae3ff5
-
memory/1212-67-0x0000000000000000-mapping.dmp
-
memory/1232-62-0x0000000000000000-mapping.dmp
-
memory/1232-66-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/1640-60-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1640-61-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB