Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 05:30
Static task
static1
Behavioral task
behavioral1
Sample
7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe
Resource
win7-en-20210920
General
-
Target
7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe
-
Size
263KB
-
MD5
6735b414617870f41ae37db487fb5965
-
SHA1
a07e827422730b676fd53e79b0522bf2cd010413
-
SHA256
7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df
-
SHA512
9e7eb3742c6b5f84130ae83959b253bdb635744d5bedb7b9a13e99bdca3fbbc0356ab55cc705aeb428e491c84c2a1152817c26bbe286632ab1eff0eb922a98df
Malware Config
Extracted
njrat
0.7d
Lammer
moskitu.ddns.net:1177
9df50acbc9093297ff153d6c3b05e212
-
reg_key
9df50acbc9093297ff153d6c3b05e212
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Encryptado.exeTrojan.exepid process 1156 Encryptado.exe 1552 Trojan.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe Token: 33 1552 Trojan.exe Token: SeIncBasePriorityPrivilege 1552 Trojan.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exeEncryptado.exeTrojan.exedescription pid process target process PID 636 wrote to memory of 1156 636 7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe Encryptado.exe PID 636 wrote to memory of 1156 636 7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe Encryptado.exe PID 636 wrote to memory of 1156 636 7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe Encryptado.exe PID 1156 wrote to memory of 1552 1156 Encryptado.exe Trojan.exe PID 1156 wrote to memory of 1552 1156 Encryptado.exe Trojan.exe PID 1156 wrote to memory of 1552 1156 Encryptado.exe Trojan.exe PID 1552 wrote to memory of 1796 1552 Trojan.exe netsh.exe PID 1552 wrote to memory of 1796 1552 Trojan.exe netsh.exe PID 1552 wrote to memory of 1796 1552 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe"C:\Users\Admin\AppData\Local\Temp\7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exeMD5
6bcb1baa7f140265765dad544ffdc8aa
SHA1240c108b01bcd4967995595c117512a1d743b1f0
SHA2560537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4
SHA51239a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exeMD5
6bcb1baa7f140265765dad544ffdc8aa
SHA1240c108b01bcd4967995595c117512a1d743b1f0
SHA2560537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4
SHA51239a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeMD5
6bcb1baa7f140265765dad544ffdc8aa
SHA1240c108b01bcd4967995595c117512a1d743b1f0
SHA2560537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4
SHA51239a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeMD5
6bcb1baa7f140265765dad544ffdc8aa
SHA1240c108b01bcd4967995595c117512a1d743b1f0
SHA2560537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4
SHA51239a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918
-
memory/636-119-0x0000000001850000-0x0000000001851000-memory.dmpFilesize
4KB
-
memory/636-114-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/636-121-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/636-122-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/636-123-0x0000000001853000-0x0000000001855000-memory.dmpFilesize
8KB
-
memory/636-124-0x0000000001855000-0x0000000001856000-memory.dmpFilesize
4KB
-
memory/636-116-0x0000000001860000-0x0000000001861000-memory.dmpFilesize
4KB
-
memory/636-120-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/636-118-0x000000000A6D0000-0x000000000A6D1000-memory.dmpFilesize
4KB
-
memory/636-117-0x000000000A130000-0x000000000A131000-memory.dmpFilesize
4KB
-
memory/1156-128-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/1156-125-0x0000000000000000-mapping.dmp
-
memory/1552-129-0x0000000000000000-mapping.dmp
-
memory/1552-132-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/1796-133-0x0000000000000000-mapping.dmp