Analysis
-
max time kernel
153s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-09-2021 17:16
Behavioral task
behavioral1
Sample
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe
Resource
win10-en
General
-
Target
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe
-
Size
37KB
-
MD5
32553936e98e9f13c1f32d467077fd38
-
SHA1
15e613343b191b07dd5deb44bbf732b8d9146cb4
-
SHA256
f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
-
SHA512
db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
Malware Config
Extracted
njrat
im523
HacKed
2.tcp.ngrok.io:13564
5e872b01dd468d43dc0ebbdd5345346e
-
reg_key
5e872b01dd468d43dc0ebbdd5345346e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
diskord.exepid process 1460 diskord.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
diskord.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e872b01dd468d43dc0ebbdd5345346e.exe diskord.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e872b01dd468d43dc0ebbdd5345346e.exe diskord.exe -
Loads dropped DLL 1 IoCs
Processes:
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exepid process 1812 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
diskord.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e872b01dd468d43dc0ebbdd5345346e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\diskord.exe\" .." diskord.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5e872b01dd468d43dc0ebbdd5345346e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\diskord.exe\" .." diskord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
diskord.exepid process 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe 1460 diskord.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
diskord.exepid process 1460 diskord.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
diskord.exedescription pid process Token: SeDebugPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe Token: 33 1460 diskord.exe Token: SeIncBasePriorityPrivilege 1460 diskord.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exediskord.exedescription pid process target process PID 1812 wrote to memory of 1460 1812 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 1812 wrote to memory of 1460 1812 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 1812 wrote to memory of 1460 1812 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 1812 wrote to memory of 1460 1812 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 1460 wrote to memory of 316 1460 diskord.exe netsh.exe PID 1460 wrote to memory of 316 1460 diskord.exe netsh.exe PID 1460 wrote to memory of 316 1460 diskord.exe netsh.exe PID 1460 wrote to memory of 316 1460 diskord.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe"C:\Users\Admin\AppData\Local\Temp\F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\diskord.exe"C:\Users\Admin\AppData\Local\Temp\diskord.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\diskord.exe" "diskord.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\diskord.exeMD5
32553936e98e9f13c1f32d467077fd38
SHA115e613343b191b07dd5deb44bbf732b8d9146cb4
SHA256f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
SHA512db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
-
C:\Users\Admin\AppData\Local\Temp\diskord.exeMD5
32553936e98e9f13c1f32d467077fd38
SHA115e613343b191b07dd5deb44bbf732b8d9146cb4
SHA256f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
SHA512db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
-
\Users\Admin\AppData\Local\Temp\diskord.exeMD5
32553936e98e9f13c1f32d467077fd38
SHA115e613343b191b07dd5deb44bbf732b8d9146cb4
SHA256f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
SHA512db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
-
memory/316-68-0x0000000000000000-mapping.dmp
-
memory/1460-63-0x0000000000000000-mapping.dmp
-
memory/1460-67-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1812-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1812-61-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB