Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en -
submitted
11-09-2021 07:02
Static task
static1
Behavioral task
behavioral1
Sample
CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe
Resource
win7-en
General
-
Target
CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe
-
Size
398KB
-
MD5
61522f3e0ff5ffcd3b70af0969ce67ff
-
SHA1
055acee75181881b27e6c489b85efc530ed2a145
-
SHA256
cf75d51ec31d817017d71dbe8def69d443e4ecca131e70ca6252ebc455e065a2
-
SHA512
650da92d3c10f8649253016c721a7c522b213342913c134303a843aedee51e10e77a6913a8fe707a26b895d606dd2d362a5eba14de25c5f90a5eee1f8f8defd8
Malware Config
Extracted
njrat
0.7d
Lammer
hacktrojancy.ddns.net:1177
d4edd1f042d4d9678bd0e6fffb41b44f
-
reg_key
d4edd1f042d4d9678bd0e6fffb41b44f
-
splitter
|'|'|
Extracted
njrat
0.7d
aaa
0.tcp.ngrok.io:18926
25cfdc389bb9a2acd67334f0453faa4c
-
reg_key
25cfdc389bb9a2acd67334f0453faa4c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
Lammer.exeaaa.exeNetFlix Creator.exeTrojan.exeChrome.exepid process 1688 Lammer.exe 1964 aaa.exe 1172 NetFlix Creator.exe 1156 Trojan.exe 756 Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
Chrome.exeTrojan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4edd1f042d4d9678bd0e6fffb41b44f.exe Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4edd1f042d4d9678bd0e6fffb41b44f.exe Chrome.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25cfdc389bb9a2acd67334f0453faa4c.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25cfdc389bb9a2acd67334f0453faa4c.exe Trojan.exe -
Loads dropped DLL 12 IoCs
Processes:
CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exeLammer.exeaaa.exepid process 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe 1688 Lammer.exe 1964 aaa.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Chrome.exeTrojan.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d4edd1f042d4d9678bd0e6fffb41b44f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\25cfdc389bb9a2acd67334f0453faa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\25cfdc389bb9a2acd67334f0453faa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\d4edd1f042d4d9678bd0e6fffb41b44f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
Chrome.exeTrojan.exedescription pid process Token: SeDebugPrivilege 756 Chrome.exe Token: SeDebugPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe Token: 33 756 Chrome.exe Token: SeIncBasePriorityPrivilege 756 Chrome.exe Token: 33 1156 Trojan.exe Token: SeIncBasePriorityPrivilege 1156 Trojan.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exeLammer.exeaaa.exeTrojan.exeChrome.exedescription pid process target process PID 1088 wrote to memory of 1688 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe Lammer.exe PID 1088 wrote to memory of 1688 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe Lammer.exe PID 1088 wrote to memory of 1688 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe Lammer.exe PID 1088 wrote to memory of 1688 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe Lammer.exe PID 1088 wrote to memory of 1964 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe aaa.exe PID 1088 wrote to memory of 1964 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe aaa.exe PID 1088 wrote to memory of 1964 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe aaa.exe PID 1088 wrote to memory of 1964 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe aaa.exe PID 1088 wrote to memory of 1172 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe NetFlix Creator.exe PID 1088 wrote to memory of 1172 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe NetFlix Creator.exe PID 1088 wrote to memory of 1172 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe NetFlix Creator.exe PID 1088 wrote to memory of 1172 1088 CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe NetFlix Creator.exe PID 1688 wrote to memory of 756 1688 Lammer.exe Chrome.exe PID 1688 wrote to memory of 756 1688 Lammer.exe Chrome.exe PID 1688 wrote to memory of 756 1688 Lammer.exe Chrome.exe PID 1688 wrote to memory of 756 1688 Lammer.exe Chrome.exe PID 1964 wrote to memory of 1156 1964 aaa.exe Trojan.exe PID 1964 wrote to memory of 1156 1964 aaa.exe Trojan.exe PID 1964 wrote to memory of 1156 1964 aaa.exe Trojan.exe PID 1964 wrote to memory of 1156 1964 aaa.exe Trojan.exe PID 1156 wrote to memory of 1744 1156 Trojan.exe netsh.exe PID 1156 wrote to memory of 1744 1156 Trojan.exe netsh.exe PID 1156 wrote to memory of 1744 1156 Trojan.exe netsh.exe PID 1156 wrote to memory of 1744 1156 Trojan.exe netsh.exe PID 756 wrote to memory of 1992 756 Chrome.exe netsh.exe PID 756 wrote to memory of 1992 756 Chrome.exe netsh.exe PID 756 wrote to memory of 1992 756 Chrome.exe netsh.exe PID 756 wrote to memory of 1992 756 Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe"C:\Users\Admin\AppData\Local\Temp\CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\Lammer.exe"C:\Users\Admin\AppData\Local\Temp\Lammer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Chrome.exe" "Chrome.exe" ENABLE4⤵PID:1992
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\aaa.exe"C:\Users\Admin\AppData\Local\Temp\aaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE4⤵PID:1744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe"C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe"2⤵
- Executes dropped EXE
PID:1172
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
116a916ff39ebc0daf9d91e036894527
SHA1a0a8141606bba86eba2049a3a52d9e26aa0df606
SHA256b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6
SHA5120ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1
-
MD5
116a916ff39ebc0daf9d91e036894527
SHA1a0a8141606bba86eba2049a3a52d9e26aa0df606
SHA256b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6
SHA5120ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
01ac12dcf50810001019cd6b1dfa0d9f
SHA176b0213514cccebff4c5202cad1f6b0e21992db7
SHA2564de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01
SHA51248074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa
-
MD5
116a916ff39ebc0daf9d91e036894527
SHA1a0a8141606bba86eba2049a3a52d9e26aa0df606
SHA256b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6
SHA5120ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1
-
MD5
116a916ff39ebc0daf9d91e036894527
SHA1a0a8141606bba86eba2049a3a52d9e26aa0df606
SHA256b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6
SHA5120ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1
-
MD5
116a916ff39ebc0daf9d91e036894527
SHA1a0a8141606bba86eba2049a3a52d9e26aa0df606
SHA256b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6
SHA5120ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1
-
MD5
116a916ff39ebc0daf9d91e036894527
SHA1a0a8141606bba86eba2049a3a52d9e26aa0df606
SHA256b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6
SHA5120ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174
-
MD5
b5742eabacc2885b792bbaea9090f44f
SHA1a600b268146c6573ccb052fd05ec45bf4825d7d6
SHA256c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6
SHA512c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174