Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en -
submitted
12-09-2021 17:16
Behavioral task
behavioral1
Sample
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe
Resource
win10-en
General
-
Target
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe
-
Size
37KB
-
MD5
32553936e98e9f13c1f32d467077fd38
-
SHA1
15e613343b191b07dd5deb44bbf732b8d9146cb4
-
SHA256
f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
-
SHA512
db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
Malware Config
Extracted
njrat
im523
HacKed
2.tcp.ngrok.io:13564
5e872b01dd468d43dc0ebbdd5345346e
-
reg_key
5e872b01dd468d43dc0ebbdd5345346e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
diskord.exepid process 4540 diskord.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
diskord.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e872b01dd468d43dc0ebbdd5345346e.exe diskord.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e872b01dd468d43dc0ebbdd5345346e.exe diskord.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
diskord.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e872b01dd468d43dc0ebbdd5345346e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\diskord.exe\" .." diskord.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5e872b01dd468d43dc0ebbdd5345346e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\diskord.exe\" .." diskord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
diskord.exepid process 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe 4540 diskord.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
diskord.exepid process 4540 diskord.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
diskord.exedescription pid process Token: SeDebugPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe Token: 33 4540 diskord.exe Token: SeIncBasePriorityPrivilege 4540 diskord.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exediskord.exedescription pid process target process PID 4472 wrote to memory of 4540 4472 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 4472 wrote to memory of 4540 4472 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 4472 wrote to memory of 4540 4472 F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe diskord.exe PID 4540 wrote to memory of 4588 4540 diskord.exe netsh.exe PID 4540 wrote to memory of 4588 4540 diskord.exe netsh.exe PID 4540 wrote to memory of 4588 4540 diskord.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe"C:\Users\Admin\AppData\Local\Temp\F398959491EFE9874D198FFDD7F1575439FC4DB53E820.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\diskord.exe"C:\Users\Admin\AppData\Local\Temp\diskord.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\diskord.exe" "diskord.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\diskord.exeMD5
32553936e98e9f13c1f32d467077fd38
SHA115e613343b191b07dd5deb44bbf732b8d9146cb4
SHA256f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
SHA512db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
-
C:\Users\Admin\AppData\Local\Temp\diskord.exeMD5
32553936e98e9f13c1f32d467077fd38
SHA115e613343b191b07dd5deb44bbf732b8d9146cb4
SHA256f398959491efe9874d198ffdd7f1575439fc4db53e82063824ebb9af158ac7db
SHA512db5752e8950df2da06bb078944e2454c84d0480b9e059fca013edac38c4b188acb7b473e9da07d16b4a959bf78fbf1b4f04dfb6f73f4e22d8dc90d529e61e16a
-
memory/4472-115-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/4540-116-0x0000000000000000-mapping.dmp
-
memory/4540-119-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/4588-120-0x0000000000000000-mapping.dmp