Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
Resource
win10-en-20210920
General
-
Target
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
-
Size
794KB
-
MD5
4ca8b569fa3d95c9c619135ca8c8f7b3
-
SHA1
0f3cf76fb9382928c6c8ab19408154fdc6386926
-
SHA256
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b
-
SHA512
371c5356bb0cc382505f492ec3dc90340005fe8591c668cc07c25439693e350177588088d753695d0d5258d91a0f8181f390ebcf00983947fe482328f9f64298
Malware Config
Extracted
njrat
0.7d
@ HaCkInG By Dr WeSt @
de3533c5cf00b5a9a0d499054fac5999
-
reg_key
de3533c5cf00b5a9a0d499054fac5999
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
0.exepid process 3720 0.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
0.exedescription pid process Token: SeDebugPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe Token: 33 3720 0.exe Token: SeIncBasePriorityPrivilege 3720 0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe0.exedescription pid process target process PID 3612 wrote to memory of 3720 3612 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 3612 wrote to memory of 3720 3612 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 3612 wrote to memory of 3720 3612 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe 0.exe PID 3720 wrote to memory of 4328 3720 0.exe netsh.exe PID 3720 wrote to memory of 4328 3720 0.exe netsh.exe PID 3720 wrote to memory of 4328 3720 0.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe"C:\Users\Admin\AppData\Local\Temp\7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\0.exe"C:\Users\Admin\AppData\Roaming\0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\0.exe" "0.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\0.exeMD5
6d74e33782b69655bae3843e16cfdb4d
SHA1beb96a6b67c476874bb3ad8ccaf192da15d9d126
SHA2566381c8097fb106187e446982485f79d5361edcd65e740fb151c38531d6a615f0
SHA512aa2cdb3e8629009f776412598a0eecbe7e80a616fe4228b8bc9f28a2f5fef50750dbb530594caf40ec54390bfe67b25cf9ab0074f8f0c40f018d3d2cb137a196
-
C:\Users\Admin\AppData\Roaming\0.exeMD5
6d74e33782b69655bae3843e16cfdb4d
SHA1beb96a6b67c476874bb3ad8ccaf192da15d9d126
SHA2566381c8097fb106187e446982485f79d5361edcd65e740fb151c38531d6a615f0
SHA512aa2cdb3e8629009f776412598a0eecbe7e80a616fe4228b8bc9f28a2f5fef50750dbb530594caf40ec54390bfe67b25cf9ab0074f8f0c40f018d3d2cb137a196
-
memory/3612-115-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/3720-117-0x0000000000000000-mapping.dmp
-
memory/3720-120-0x0000000000640000-0x000000000078A000-memory.dmpFilesize
1.3MB
-
memory/4328-121-0x0000000000000000-mapping.dmp