Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 20:51
Behavioral task
behavioral1
Sample
5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe
Resource
win10v20210408
General
-
Target
5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe
-
Size
23KB
-
MD5
40d8409cbbafe7fc7ee3132f00ad9423
-
SHA1
849c0f16a80cc4c1acd1dfa875de31e028e2ecfc
-
SHA256
5881ed83ef800ac9cbc9e74c6a9e403521afed344105ee157d66916e70ff63df
-
SHA512
90d66e223935efa2ccba3b2bb5b2533bd0f33ea6def1057ff210bfca1f0235698a60949825b8e695d3d5e532aa672a72058e35389761534955c8e55246606684
Malware Config
Extracted
njrat
0.7d
mscode
hotkey.ddns.net:5552
2f547573b829f3eb843eb77706c321e3
-
reg_key
2f547573b829f3eb843eb77706c321e3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mscodec.exepid process 376 mscodec.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mscodec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\2f547573b829f3eb843eb77706c321e3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mscodec.exe\" .." mscodec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2f547573b829f3eb843eb77706c321e3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mscodec.exe\" .." mscodec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
mscodec.exedescription pid process Token: SeDebugPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe Token: 33 376 mscodec.exe Token: SeIncBasePriorityPrivilege 376 mscodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exemscodec.exedescription pid process target process PID 664 wrote to memory of 376 664 5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe mscodec.exe PID 664 wrote to memory of 376 664 5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe mscodec.exe PID 664 wrote to memory of 376 664 5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe mscodec.exe PID 376 wrote to memory of 2684 376 mscodec.exe netsh.exe PID 376 wrote to memory of 2684 376 mscodec.exe netsh.exe PID 376 wrote to memory of 2684 376 mscodec.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe"C:\Users\Admin\AppData\Local\Temp\5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Roaming\mscodec.exe"C:\Users\Admin\AppData\Roaming\mscodec.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mscodec.exe" "mscodec.exe" ENABLE3⤵PID:2684
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
40d8409cbbafe7fc7ee3132f00ad9423
SHA1849c0f16a80cc4c1acd1dfa875de31e028e2ecfc
SHA2565881ed83ef800ac9cbc9e74c6a9e403521afed344105ee157d66916e70ff63df
SHA51290d66e223935efa2ccba3b2bb5b2533bd0f33ea6def1057ff210bfca1f0235698a60949825b8e695d3d5e532aa672a72058e35389761534955c8e55246606684
-
MD5
40d8409cbbafe7fc7ee3132f00ad9423
SHA1849c0f16a80cc4c1acd1dfa875de31e028e2ecfc
SHA2565881ed83ef800ac9cbc9e74c6a9e403521afed344105ee157d66916e70ff63df
SHA51290d66e223935efa2ccba3b2bb5b2533bd0f33ea6def1057ff210bfca1f0235698a60949825b8e695d3d5e532aa672a72058e35389761534955c8e55246606684