Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 17:07
Static task
static1
Behavioral task
behavioral1
Sample
dffffd.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
dffffd.exe
Resource
win10-en-20210920
General
-
Target
dffffd.exe
-
Size
661KB
-
MD5
75877c7f6a8b5a2642c5b3c389444394
-
SHA1
9168024a9c3a28d5be15953eccaeb5bff68b9601
-
SHA256
ef8c7077685d93118f27d7c334f60a440b31e127989748078057c5855c35aba9
-
SHA512
e2cb7c74989493526c67cc569e9503be079693d8d65874f283889768db07160fe2bda293f9d045c87261948ddedb291c06ca9dcdae8c4cd81c0a51eb5748742e
Malware Config
Extracted
njrat
v4.0
Wed_22_GreenLife
37.120.141.158:18892
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 1 IoCs
Processes:
dffffd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk dffffd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dffffd.exedescription pid process target process PID 1824 set thread context of 1856 1824 dffffd.exe dffffd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dffffd.exepid process 1824 dffffd.exe 1824 dffffd.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
dffffd.exedffffd.exedescription pid process Token: SeDebugPrivilege 1824 dffffd.exe Token: SeDebugPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe Token: 33 1856 dffffd.exe Token: SeIncBasePriorityPrivilege 1856 dffffd.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
dffffd.exedescription pid process target process PID 1824 wrote to memory of 1512 1824 dffffd.exe schtasks.exe PID 1824 wrote to memory of 1512 1824 dffffd.exe schtasks.exe PID 1824 wrote to memory of 1512 1824 dffffd.exe schtasks.exe PID 1824 wrote to memory of 1512 1824 dffffd.exe schtasks.exe PID 1824 wrote to memory of 1852 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1852 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1852 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1852 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe PID 1824 wrote to memory of 1856 1824 dffffd.exe dffffd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dffffd.exe"C:\Users\Admin\AppData\Local\Temp\dffffd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kfzQEBrWHDfT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8FEF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\dffffd.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\dffffd.exe"{path}"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8FEF.tmpMD5
50acf56b411f8f120e944c3a8095771a
SHA1374574a363922cbc6a8bbf27e1d2a9d345e8a7d4
SHA2568aa14162aa0bed7cb6417757c9c47b71db6c8dfe20ee6b31cc185d1f427a0290
SHA512aa5b343d0e74f1a73d406a5626280634e9aade99b690e64b16cc6fd74471ae680dfda40bd58fefd06a1aef0209959470f16716ea14cdf5d00660af9fb01bf872
-
memory/1512-66-0x0000000000000000-mapping.dmp
-
memory/1824-60-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1824-62-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/1824-63-0x00000000005B0000-0x00000000005BE000-memory.dmpFilesize
56KB
-
memory/1824-64-0x0000000004F40000-0x0000000004F9E000-memory.dmpFilesize
376KB
-
memory/1824-65-0x0000000001E10000-0x0000000001E19000-memory.dmpFilesize
36KB
-
memory/1856-68-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1856-69-0x000000000040838E-mapping.dmp
-
memory/1856-70-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1856-72-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB