Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
Resource
win10-en-20210920
General
-
Target
1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
-
Size
152KB
-
MD5
c2b9c99086b64ed5ef6ae1bd34288013
-
SHA1
43a4fdff438bb03812aaf9cf273c5021a21623f8
-
SHA256
1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f
-
SHA512
7e2595d992653ba5b332514379ab2ea8aca86eefbe6c89f3970a3ea5c36f1922d88dda3341f269a5754fd4b87e0a3ed9eca1a79b6ee16c8482741401d0087391
Malware Config
Extracted
njrat
v2.0
HacKed
daddygvgv.ddns.net:1177
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
MFhYi.exeMFhYi.exePayload.exepid process 2528 MFhYi.exe 2616 MFhYi.exe 1284 Payload.exe -
Drops startup file 3 IoCs
Processes:
MFhYi.exeMFhYi.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk MFhYi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk MFhYi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MFhYi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" MFhYi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exePayload.exedescription pid process Token: SeDebugPrivilege 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe Token: SeDebugPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe Token: 33 1284 Payload.exe Token: SeIncBasePriorityPrivilege 1284 Payload.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exedescription pid process target process PID 2188 wrote to memory of 2528 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe MFhYi.exe PID 2188 wrote to memory of 2528 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe MFhYi.exe PID 2188 wrote to memory of 2528 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe MFhYi.exe PID 2188 wrote to memory of 2616 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe MFhYi.exe PID 2188 wrote to memory of 2616 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe MFhYi.exe PID 2188 wrote to memory of 2616 2188 1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe MFhYi.exe PID 2528 wrote to memory of 1284 2528 MFhYi.exe Payload.exe PID 2528 wrote to memory of 1284 2528 MFhYi.exe Payload.exe PID 2528 wrote to memory of 1284 2528 MFhYi.exe Payload.exe PID 2528 wrote to memory of 1476 2528 MFhYi.exe attrib.exe PID 2528 wrote to memory of 1476 2528 MFhYi.exe attrib.exe PID 2528 wrote to memory of 1476 2528 MFhYi.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe"C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"2⤵
- Executes dropped EXE
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MFhYi.exe.logMD5
6b5a2c06d34c86bcc8aacc3a739fd362
SHA154fc90eaa12ba9251414e8dac83fdae08819ee42
SHA2561492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68
SHA512228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba
-
C:\Users\Admin\AppData\Local\Temp\MFhYi.exeMD5
8e54875e72bebf23615137805c3d1145
SHA128eb5693c2964c991f2df6bf408c9a394b1db8db
SHA25613070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e
SHA5122387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df
-
C:\Users\Admin\AppData\Local\Temp\MFhYi.exeMD5
8e54875e72bebf23615137805c3d1145
SHA128eb5693c2964c991f2df6bf408c9a394b1db8db
SHA25613070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e
SHA5122387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df
-
C:\Users\Admin\AppData\Local\Temp\MFhYi.exeMD5
8e54875e72bebf23615137805c3d1145
SHA128eb5693c2964c991f2df6bf408c9a394b1db8db
SHA25613070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e
SHA5122387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
46562a709e5ec2dab9696cb27bd33b74
SHA1aabc178c30e55066ce607209890032a61c0ea6f8
SHA256fa1e5acb0728a372781bad0a82d0951ff90e12d4bbdcd2ddb42c444388b64d21
SHA512309d3974ae4a84e763cff4000f7c52b84172ebfca7b1e7ce4eb077c54264a4cd3462d4e1d33a595b25bb64a10697f43dc56230caf30836b840a773e1490b69a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
b4fdc94f9046fd37a2e3eb86a3a90b2e
SHA1c66dcf4da9990d7c5e05e746014959b2d6cafdbf
SHA2567932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37
SHA51264d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
b4fdc94f9046fd37a2e3eb86a3a90b2e
SHA1c66dcf4da9990d7c5e05e746014959b2d6cafdbf
SHA2567932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37
SHA51264d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef
-
C:\Users\Admin\AppData\Roaming\Payload.exeMD5
8e54875e72bebf23615137805c3d1145
SHA128eb5693c2964c991f2df6bf408c9a394b1db8db
SHA25613070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e
SHA5122387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df
-
C:\Users\Admin\AppData\Roaming\Payload.exeMD5
8e54875e72bebf23615137805c3d1145
SHA128eb5693c2964c991f2df6bf408c9a394b1db8db
SHA25613070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e
SHA5122387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df
-
memory/1284-125-0x0000000000000000-mapping.dmp
-
memory/1284-132-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/1476-130-0x0000000000000000-mapping.dmp
-
memory/2188-115-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/2528-122-0x0000000003130000-0x0000000003131000-memory.dmpFilesize
4KB
-
memory/2528-117-0x0000000000000000-mapping.dmp
-
memory/2616-119-0x0000000000000000-mapping.dmp
-
memory/2616-123-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB