Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 12:36
Static task
static1
Behavioral task
behavioral1
Sample
73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe
Resource
win10-en-20210920
General
-
Target
73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe
-
Size
125KB
-
MD5
0d2a094f6702c6723432871c12e35d79
-
SHA1
993881a65653a92c938116dfca5fee60c6698c81
-
SHA256
73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c
-
SHA512
94157f8f392746089fb0973c9cef857a902bf3157d85ef7e8cfe6845a60f2d9ede317b99d2ea922096083bc894fa5cacaf9c7c0af51685410251b83bfcd69d4b
Malware Config
Extracted
njrat
v2.0
@ WeSt - HaCkInG K.S.A @
w187.ddns.net:22
Intel HD Graphics Drivers for Windows(R)
-
reg_key
Intel HD Graphics Drivers for Windows(R)
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exepid process 1756 Intel HD Graphics Drivers for Windows(R).exe 1572 Intel HD Graphics Drivers for Windows(R).exe -
Drops startup file 4 IoCs
Processes:
Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk Intel HD Graphics Drivers for Windows(R).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk Intel HD Graphics Drivers for Windows(R).exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).exe Intel HD Graphics Drivers for Windows(R).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).exe Intel HD Graphics Drivers for Windows(R).exe -
Loads dropped DLL 2 IoCs
Processes:
73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exeIntel HD Graphics Drivers for Windows(R).exepid process 1548 73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe 1756 Intel HD Graphics Drivers for Windows(R).exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R) = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL" Intel HD Graphics Drivers for Windows(R).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R) = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL" Intel HD Graphics Drivers for Windows(R).exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Intel HD Graphics Drivers for Windows(R).exe" Intel HD Graphics Drivers for Windows(R).exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL" Intel HD Graphics Drivers for Windows(R).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL" Intel HD Graphics Drivers for Windows(R).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Intel HD Graphics Drivers for Windows(R).exedescription pid process Token: SeDebugPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe Token: 33 1572 Intel HD Graphics Drivers for Windows(R).exe Token: SeIncBasePriorityPrivilege 1572 Intel HD Graphics Drivers for Windows(R).exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exeIntel HD Graphics Drivers for Windows(R).exedescription pid process target process PID 1548 wrote to memory of 1756 1548 73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe Intel HD Graphics Drivers for Windows(R).exe PID 1548 wrote to memory of 1756 1548 73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe Intel HD Graphics Drivers for Windows(R).exe PID 1548 wrote to memory of 1756 1548 73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe Intel HD Graphics Drivers for Windows(R).exe PID 1548 wrote to memory of 1756 1548 73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe Intel HD Graphics Drivers for Windows(R).exe PID 1756 wrote to memory of 1572 1756 Intel HD Graphics Drivers for Windows(R).exe Intel HD Graphics Drivers for Windows(R).exe PID 1756 wrote to memory of 1572 1756 Intel HD Graphics Drivers for Windows(R).exe Intel HD Graphics Drivers for Windows(R).exe PID 1756 wrote to memory of 1572 1756 Intel HD Graphics Drivers for Windows(R).exe Intel HD Graphics Drivers for Windows(R).exe PID 1756 wrote to memory of 1572 1756 Intel HD Graphics Drivers for Windows(R).exe Intel HD Graphics Drivers for Windows(R).exe PID 1756 wrote to memory of 752 1756 Intel HD Graphics Drivers for Windows(R).exe attrib.exe PID 1756 wrote to memory of 752 1756 Intel HD Graphics Drivers for Windows(R).exe attrib.exe PID 1756 wrote to memory of 752 1756 Intel HD Graphics Drivers for Windows(R).exe attrib.exe PID 1756 wrote to memory of 752 1756 Intel HD Graphics Drivers for Windows(R).exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe"C:\Users\Admin\AppData\Local\Temp\73ef8785ce221925db2e244da366959e541eed19f13fe85bb58892880381071c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe"C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exeMD5
f19f7b77300d578fe7f0304ee15bfae3
SHA189f17fcbf414876b65e555d8cf51ab8db4db132c
SHA2567e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1
SHA512167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d
-
C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exeMD5
f19f7b77300d578fe7f0304ee15bfae3
SHA189f17fcbf414876b65e555d8cf51ab8db4db132c
SHA2567e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1
SHA512167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d
-
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exeMD5
f19f7b77300d578fe7f0304ee15bfae3
SHA189f17fcbf414876b65e555d8cf51ab8db4db132c
SHA2567e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1
SHA512167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d
-
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exeMD5
f19f7b77300d578fe7f0304ee15bfae3
SHA189f17fcbf414876b65e555d8cf51ab8db4db132c
SHA2567e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1
SHA512167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnkMD5
5f14bdcc67d5f5a4a05e8c360ceceeb3
SHA15db8d7a63f4e877ecc9fd3f5bcf929b6ac216e2a
SHA2561d47d4a6cb80db37332277c55dc5c39c60fba08fbe508087892e8f8e9148d139
SHA512664ab91773d0fa95664f1a2b100a96aa33ee241abd0a52ac030f0483c31bd40afe03bad268cccf3d876bd35af993f5e95b22b10c13069161568c7d82a0cb17fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Intel HD Graphics Drivers for Windows(R).lnkMD5
f2c1b6c91fadf5fd70bbb605cbf27e7d
SHA19a01eb3a675a8a51814905b0dde35336fb7d41f1
SHA256d282fa7eddb517c9429b79d6a17d786727f53f729fa24c6236b8bdaf54562ab1
SHA51264040036fbb35286a80d808f081c9441182839a192622029781d160885dabab5fc78e49e561fe12c26c76857532f04eca94c6285b05613c33ffbf582db8903c5
-
\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exeMD5
f19f7b77300d578fe7f0304ee15bfae3
SHA189f17fcbf414876b65e555d8cf51ab8db4db132c
SHA2567e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1
SHA512167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d
-
\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exeMD5
f19f7b77300d578fe7f0304ee15bfae3
SHA189f17fcbf414876b65e555d8cf51ab8db4db132c
SHA2567e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1
SHA512167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d
-
memory/752-67-0x0000000000000000-mapping.dmp
-
memory/1548-56-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/1548-54-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1572-64-0x0000000000000000-mapping.dmp
-
memory/1572-71-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/1756-58-0x0000000000000000-mapping.dmp
-
memory/1756-61-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1756-62-0x0000000001F80000-0x0000000001F81000-memory.dmpFilesize
4KB