Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 12:31
Static task
static1
Behavioral task
behavioral1
Sample
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Resource
win7v20210408
General
-
Target
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
-
Size
342KB
-
MD5
ab09790ec8dbb4c257d8a7c0f3a49943
-
SHA1
1b45a0349f77c7e07b725d32a5a32e80c00eef24
-
SHA256
303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
-
SHA512
b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
Malware Config
Extracted
njrat
0.7d
BAYRAMM
cihan05.duckdns.org:1981
47da9b71ec9839dd4ca48977f70dcfda
-
reg_key
47da9b71ec9839dd4ca48977f70dcfda
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tmp.exechorme.exepid process 3488 tmp.exe 2192 chorme.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription pid process target process PID 2384 set thread context of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2508 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exepid process 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exedescription pid process Token: SeDebugPrivilege 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe Token: SeDebugPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe Token: 33 3488 tmp.exe Token: SeIncBasePriorityPrivilege 3488 tmp.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exedescription pid process target process PID 2384 wrote to memory of 2568 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 2384 wrote to memory of 2568 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 2384 wrote to memory of 2568 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 2568 wrote to memory of 2708 2568 cmd.exe reg.exe PID 2568 wrote to memory of 2708 2568 cmd.exe reg.exe PID 2568 wrote to memory of 2708 2568 cmd.exe reg.exe PID 2384 wrote to memory of 3488 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 2384 wrote to memory of 3488 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 2384 wrote to memory of 3488 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 2384 wrote to memory of 3640 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 2384 wrote to memory of 3640 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 2384 wrote to memory of 3640 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 3640 wrote to memory of 2508 3640 cmd.exe timeout.exe PID 3640 wrote to memory of 2508 3640 cmd.exe timeout.exe PID 3640 wrote to memory of 2508 3640 cmd.exe timeout.exe PID 3488 wrote to memory of 3988 3488 tmp.exe netsh.exe PID 3488 wrote to memory of 3988 3488 tmp.exe netsh.exe PID 3488 wrote to memory of 3988 3488 tmp.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\chorme.exe"C:\Users\Admin\AppData\Local\Temp\chorme.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
810be04867d847b702dd5fa163cb0a66
SHA1fb2a355f356660ba494e70af002d6a728fe64aa7
SHA256e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19
SHA512b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
810be04867d847b702dd5fa163cb0a66
SHA1fb2a355f356660ba494e70af002d6a728fe64aa7
SHA256e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19
SHA512b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exeMD5
ab09790ec8dbb4c257d8a7c0f3a49943
SHA11b45a0349f77c7e07b725d32a5a32e80c00eef24
SHA256303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
SHA512b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.batMD5
07ce0d8ff0a8ea3093a6ed6b32e06201
SHA18d4469b75a39cb88db7e98afab6cfdc7248a2b1f
SHA256e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926
SHA51223db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
memory/2192-128-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/2192-123-0x000000000040748E-mapping.dmp
-
memory/2384-115-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/2508-130-0x0000000000000000-mapping.dmp
-
memory/2568-116-0x0000000000000000-mapping.dmp
-
memory/2708-117-0x0000000000000000-mapping.dmp
-
memory/3488-119-0x0000000000000000-mapping.dmp
-
memory/3488-127-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/3640-126-0x0000000000000000-mapping.dmp
-
memory/3988-131-0x0000000000000000-mapping.dmp