Analysis
-
max time kernel
149s -
max time network
53s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-09-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
Resource
win10-en-20210920
General
-
Target
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
-
Size
794KB
-
MD5
4ca8b569fa3d95c9c619135ca8c8f7b3
-
SHA1
0f3cf76fb9382928c6c8ab19408154fdc6386926
-
SHA256
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b
-
SHA512
371c5356bb0cc382505f492ec3dc90340005fe8591c668cc07c25439693e350177588088d753695d0d5258d91a0f8181f390ebcf00983947fe482328f9f64298
Malware Config
Extracted
njrat
0.7d
@ HaCkInG By Dr WeSt @
de3533c5cf00b5a9a0d499054fac5999
-
reg_key
de3533c5cf00b5a9a0d499054fac5999
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
0.exepid process 1248 0.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
0.exedescription pid process Token: SeDebugPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe Token: 33 1248 0.exe Token: SeIncBasePriorityPrivilege 1248 0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe0.exedescription pid process target process PID 1984 wrote to memory of 1248 1984 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 1984 wrote to memory of 1248 1984 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 1984 wrote to memory of 1248 1984 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 1984 wrote to memory of 1248 1984 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 1248 wrote to memory of 468 1248 0.exe netsh.exe PID 1248 wrote to memory of 468 1248 0.exe netsh.exe PID 1248 wrote to memory of 468 1248 0.exe netsh.exe PID 1248 wrote to memory of 468 1248 0.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe"C:\Users\Admin\AppData\Local\Temp\7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\0.exe"C:\Users\Admin\AppData\Roaming\0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\0.exe" "0.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\0.exeMD5
6d74e33782b69655bae3843e16cfdb4d
SHA1beb96a6b67c476874bb3ad8ccaf192da15d9d126
SHA2566381c8097fb106187e446982485f79d5361edcd65e740fb151c38531d6a615f0
SHA512aa2cdb3e8629009f776412598a0eecbe7e80a616fe4228b8bc9f28a2f5fef50750dbb530594caf40ec54390bfe67b25cf9ab0074f8f0c40f018d3d2cb137a196
-
C:\Users\Admin\AppData\Roaming\0.exeMD5
6d74e33782b69655bae3843e16cfdb4d
SHA1beb96a6b67c476874bb3ad8ccaf192da15d9d126
SHA2566381c8097fb106187e446982485f79d5361edcd65e740fb151c38531d6a615f0
SHA512aa2cdb3e8629009f776412598a0eecbe7e80a616fe4228b8bc9f28a2f5fef50750dbb530594caf40ec54390bfe67b25cf9ab0074f8f0c40f018d3d2cb137a196
-
memory/468-66-0x0000000000000000-mapping.dmp
-
memory/1248-61-0x0000000000000000-mapping.dmp
-
memory/1248-64-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1248-65-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/1984-59-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB