Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 12:31
Static task
static1
Behavioral task
behavioral1
Sample
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Resource
win7v20210408
General
-
Target
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
-
Size
342KB
-
MD5
ab09790ec8dbb4c257d8a7c0f3a49943
-
SHA1
1b45a0349f77c7e07b725d32a5a32e80c00eef24
-
SHA256
303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
-
SHA512
b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
Malware Config
Extracted
njrat
0.7d
BAYRAMM
cihan05.duckdns.org:1981
47da9b71ec9839dd4ca48977f70dcfda
-
reg_key
47da9b71ec9839dd4ca48977f70dcfda
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tmp.exechorme.exepid process 1156 tmp.exe 1968 chorme.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Loads dropped DLL 2 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exepid process 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription pid process target process PID 1832 set thread context of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1636 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exepid process 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exedescription pid process Token: SeDebugPrivilege 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe Token: SeDebugPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe Token: 33 1156 tmp.exe Token: SeIncBasePriorityPrivilege 1156 tmp.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exedescription pid process target process PID 1832 wrote to memory of 2012 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1832 wrote to memory of 2012 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1832 wrote to memory of 2012 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1832 wrote to memory of 2012 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 2012 wrote to memory of 2032 2012 cmd.exe reg.exe PID 2012 wrote to memory of 2032 2012 cmd.exe reg.exe PID 2012 wrote to memory of 2032 2012 cmd.exe reg.exe PID 2012 wrote to memory of 2032 2012 cmd.exe reg.exe PID 1832 wrote to memory of 1156 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1832 wrote to memory of 1156 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1832 wrote to memory of 1156 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1832 wrote to memory of 1156 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1832 wrote to memory of 992 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1832 wrote to memory of 992 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1832 wrote to memory of 992 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1832 wrote to memory of 992 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 992 wrote to memory of 1636 992 cmd.exe timeout.exe PID 992 wrote to memory of 1636 992 cmd.exe timeout.exe PID 992 wrote to memory of 1636 992 cmd.exe timeout.exe PID 992 wrote to memory of 1636 992 cmd.exe timeout.exe PID 1156 wrote to memory of 1208 1156 tmp.exe netsh.exe PID 1156 wrote to memory of 1208 1156 tmp.exe netsh.exe PID 1156 wrote to memory of 1208 1156 tmp.exe netsh.exe PID 1156 wrote to memory of 1208 1156 tmp.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\chorme.exe"C:\Users\Admin\AppData\Local\Temp\chorme.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exeMD5
ab09790ec8dbb4c257d8a7c0f3a49943
SHA11b45a0349f77c7e07b725d32a5a32e80c00eef24
SHA256303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
SHA512b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.batMD5
07ce0d8ff0a8ea3093a6ed6b32e06201
SHA18d4469b75a39cb88db7e98afab6cfdc7248a2b1f
SHA256e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926
SHA51223db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
\Users\Admin\AppData\Local\Temp\chorme.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
memory/992-80-0x0000000000000000-mapping.dmp
-
memory/1156-66-0x0000000000000000-mapping.dmp
-
memory/1156-83-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1208-85-0x0000000000000000-mapping.dmp
-
memory/1636-82-0x0000000000000000-mapping.dmp
-
memory/1832-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1832-61-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/1968-72-0x000000000040748E-mapping.dmp
-
memory/1968-74-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/1968-77-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/1968-84-0x0000000001FC0000-0x0000000001FC1000-memory.dmpFilesize
4KB
-
memory/2012-62-0x0000000000000000-mapping.dmp
-
memory/2032-63-0x0000000000000000-mapping.dmp