Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 21:14
Static task
static1
Behavioral task
behavioral1
Sample
3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe
Resource
win10-en
General
-
Target
3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe
-
Size
254KB
-
MD5
0a8eb56e089d298f7dab780b3218e504
-
SHA1
5963b1eb8243672225721ee5ce897eae2c748f8f
-
SHA256
3d8b03dd0d32e8b35e85d8f3fe30c4df806607b506c465c35ca66c2e93ae489d
-
SHA512
b650775cf304a323e22cdeee3da91acb10bc80a9f7d6e4e913c7f5d5cfe9c0533e89ae8af3a0338813e4439841f01dd7c6a5729d83a4034bacf89ea39cd3a066
Malware Config
Extracted
njrat
0.7d
HacKed
fr3onhoms.ddns.net:5552
39142952441e8c6dd1c68259493b5832
-
reg_key
39142952441e8c6dd1c68259493b5832
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
igfxTray.exepid process 4804 igfxTray.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
igfxTray.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39142952441e8c6dd1c68259493b5832.exe igfxTray.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39142952441e8c6dd1c68259493b5832.exe igfxTray.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
igfxTray.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\39142952441e8c6dd1c68259493b5832 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\igfxTray.exe\" .." igfxTray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\39142952441e8c6dd1c68259493b5832 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\igfxTray.exe\" .." igfxTray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
igfxTray.exedescription pid process Token: SeDebugPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe Token: 33 4804 igfxTray.exe Token: SeIncBasePriorityPrivilege 4804 igfxTray.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exeigfxTray.exedescription pid process target process PID 4656 wrote to memory of 4804 4656 3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe igfxTray.exe PID 4656 wrote to memory of 4804 4656 3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe igfxTray.exe PID 4656 wrote to memory of 4804 4656 3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe igfxTray.exe PID 4804 wrote to memory of 4920 4804 igfxTray.exe netsh.exe PID 4804 wrote to memory of 4920 4804 igfxTray.exe netsh.exe PID 4804 wrote to memory of 4920 4804 igfxTray.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe"C:\Users\Admin\AppData\Local\Temp\3D8B03DD0D32E8B35E85D8F3FE30C4DF806607B506C46.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\igfxTray.exe"C:\Users\Admin\AppData\Local\Temp\igfxTray.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\igfxTray.exe" "igfxTray.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\igfxTray.exeMD5
0a8eb56e089d298f7dab780b3218e504
SHA15963b1eb8243672225721ee5ce897eae2c748f8f
SHA2563d8b03dd0d32e8b35e85d8f3fe30c4df806607b506c465c35ca66c2e93ae489d
SHA512b650775cf304a323e22cdeee3da91acb10bc80a9f7d6e4e913c7f5d5cfe9c0533e89ae8af3a0338813e4439841f01dd7c6a5729d83a4034bacf89ea39cd3a066
-
C:\Users\Admin\AppData\Local\Temp\igfxTray.exeMD5
0a8eb56e089d298f7dab780b3218e504
SHA15963b1eb8243672225721ee5ce897eae2c748f8f
SHA2563d8b03dd0d32e8b35e85d8f3fe30c4df806607b506c465c35ca66c2e93ae489d
SHA512b650775cf304a323e22cdeee3da91acb10bc80a9f7d6e4e913c7f5d5cfe9c0533e89ae8af3a0338813e4439841f01dd7c6a5729d83a4034bacf89ea39cd3a066
-
memory/4656-128-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-123-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-115-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/4656-121-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/4656-122-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-124-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-125-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-117-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/4656-127-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-129-0x0000000009640000-0x0000000009646000-memory.dmpFilesize
24KB
-
memory/4656-120-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/4656-119-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/4656-126-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB
-
memory/4656-118-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/4804-141-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-140-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-142-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-143-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-144-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-145-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-146-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4804-130-0x0000000000000000-mapping.dmp
-
memory/4920-148-0x0000000000000000-mapping.dmp