Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 08:04
Static task
static1
Behavioral task
behavioral1
Sample
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe
Resource
win10-en-20210920
General
-
Target
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe
-
Size
1.7MB
-
MD5
a2f35e38f6b100b91d0ddab680538d39
-
SHA1
1c81b383748ec30678d96c3aea78fbd08fbbb923
-
SHA256
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e
-
SHA512
84ed35e114e7391f543f5f1eedde59f7bfc05117d96c7ad299ba54828097bc4c5abc6488cd0eaae971a7c09792e510c66b52cff842be992f0bc1aaac1639f615
Malware Config
Extracted
njrat
im523
HacKed
91.213.44.57:9
f227f14b70512c480fba70d41029f780
-
reg_key
f227f14b70512c480fba70d41029f780
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
EasyAutoClicker.exeServer.exeLocal Security Authority Proccess.exepid process 3584 EasyAutoClicker.exe 3656 Server.exe 3484 Local Security Authority Proccess.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Local Security Authority Proccess.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f227f14b70512c480fba70d41029f780.exe Local Security Authority Proccess.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f227f14b70512c480fba70d41029f780.exe Local Security Authority Proccess.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Local Security Authority Proccess.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\f227f14b70512c480fba70d41029f780 = "\"C:\\Windows\\Local Security Authority Proccess.exe\" .." Local Security Authority Proccess.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f227f14b70512c480fba70d41029f780 = "\"C:\\Windows\\Local Security Authority Proccess.exe\" .." Local Security Authority Proccess.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exepid process 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe autoit_exe -
Drops file in Windows directory 3 IoCs
Processes:
Server.exeLocal Security Authority Proccess.exedescription ioc process File created C:\Windows\Local Security Authority Proccess.exe Server.exe File opened for modification C:\Windows\Local Security Authority Proccess.exe Server.exe File opened for modification C:\Windows\Local Security Authority Proccess.exe Local Security Authority Proccess.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Local Security Authority Proccess.exepid process 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe 3484 Local Security Authority Proccess.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
EasyAutoClicker.exeLocal Security Authority Proccess.exepid process 3584 EasyAutoClicker.exe 3484 Local Security Authority Proccess.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Local Security Authority Proccess.exedescription pid process Token: SeDebugPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe Token: 33 3484 Local Security Authority Proccess.exe Token: SeIncBasePriorityPrivilege 3484 Local Security Authority Proccess.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exepid process 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exeServer.exeLocal Security Authority Proccess.exedescription pid process target process PID 1572 wrote to memory of 3584 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe EasyAutoClicker.exe PID 1572 wrote to memory of 3584 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe EasyAutoClicker.exe PID 1572 wrote to memory of 3584 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe EasyAutoClicker.exe PID 1572 wrote to memory of 3656 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe Server.exe PID 1572 wrote to memory of 3656 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe Server.exe PID 1572 wrote to memory of 3656 1572 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe Server.exe PID 3656 wrote to memory of 3484 3656 Server.exe Local Security Authority Proccess.exe PID 3656 wrote to memory of 3484 3656 Server.exe Local Security Authority Proccess.exe PID 3656 wrote to memory of 3484 3656 Server.exe Local Security Authority Proccess.exe PID 3484 wrote to memory of 4040 3484 Local Security Authority Proccess.exe netsh.exe PID 3484 wrote to memory of 4040 3484 Local Security Authority Proccess.exe netsh.exe PID 3484 wrote to memory of 4040 3484 Local Security Authority Proccess.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe"C:\Users\Admin\AppData\Local\Temp\4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe"C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Local Security Authority Proccess.exe"C:\Windows\Local Security Authority Proccess.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Local Security Authority Proccess.exe" "Local Security Authority Proccess.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exeMD5
1e2b54d571f2dfcd7fe3f0d2b2420693
SHA14f7e8fbe98610450e0104e7204993df3c37c0f87
SHA25669d2d487c7a6f63665ccf78d49313ec6def92102bc06fe22f7a8f44f1a1f009c
SHA512f961471b11c53097a25c3b3324c7fe968cbf50db352e3f5859988318c347f376ea8703a9cc12f2fd424e335656016626f873bf146d018cbf123465320df8bde7
-
C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exeMD5
1e2b54d571f2dfcd7fe3f0d2b2420693
SHA14f7e8fbe98610450e0104e7204993df3c37c0f87
SHA25669d2d487c7a6f63665ccf78d49313ec6def92102bc06fe22f7a8f44f1a1f009c
SHA512f961471b11c53097a25c3b3324c7fe968cbf50db352e3f5859988318c347f376ea8703a9cc12f2fd424e335656016626f873bf146d018cbf123465320df8bde7
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a8b14016bd5f88f25a5c7dc78848b3c2
SHA1ff8e84b56429ee6d8bd907fb1f510f31dc510ab2
SHA2564373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2
SHA512c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a8b14016bd5f88f25a5c7dc78848b3c2
SHA1ff8e84b56429ee6d8bd907fb1f510f31dc510ab2
SHA2564373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2
SHA512c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5
-
C:\Windows\Local Security Authority Proccess.exeMD5
a8b14016bd5f88f25a5c7dc78848b3c2
SHA1ff8e84b56429ee6d8bd907fb1f510f31dc510ab2
SHA2564373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2
SHA512c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5
-
C:\Windows\Local Security Authority Proccess.exeMD5
a8b14016bd5f88f25a5c7dc78848b3c2
SHA1ff8e84b56429ee6d8bd907fb1f510f31dc510ab2
SHA2564373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2
SHA512c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5
-
memory/3484-122-0x0000000000000000-mapping.dmp
-
memory/3484-125-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3584-115-0x0000000000000000-mapping.dmp
-
memory/3656-118-0x0000000000000000-mapping.dmp
-
memory/3656-121-0x0000000001820000-0x0000000001821000-memory.dmpFilesize
4KB
-
memory/4040-126-0x0000000000000000-mapping.dmp