Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 03:21
Static task
static1
Behavioral task
behavioral1
Sample
7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Resource
win10v20210408
General
-
Target
7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
-
Size
450KB
-
MD5
103aa6d5669a9f0246d44a5fadb767cd
-
SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
-
SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
-
SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3
Malware Config
Extracted
njrat
v4.0
Quran
165.227.31.192:22867
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 528 Payload.exe -
Drops startup file 5 IoCs
Processes:
Payload.exeattrib.exe7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Loads dropped DLL 1 IoCs
Processes:
7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exepid process 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Payload.exe7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exedescription pid process Token: SeDebugPrivilege 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe Token: SeDebugPrivilege 528 Payload.exe Token: 33 528 Payload.exe Token: SeIncBasePriorityPrivilege 528 Payload.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exedescription pid process target process PID 1336 wrote to memory of 528 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe Payload.exe PID 1336 wrote to memory of 528 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe Payload.exe PID 1336 wrote to memory of 528 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe Payload.exe PID 1336 wrote to memory of 528 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe Payload.exe PID 1336 wrote to memory of 1064 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe attrib.exe PID 1336 wrote to memory of 1064 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe attrib.exe PID 1336 wrote to memory of 1064 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe attrib.exe PID 1336 wrote to memory of 1064 1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe attrib.exe PID 528 wrote to memory of 1880 528 Payload.exe attrib.exe PID 528 wrote to memory of 1880 528 Payload.exe attrib.exe PID 528 wrote to memory of 1880 528 Payload.exe attrib.exe PID 528 wrote to memory of 1880 528 Payload.exe attrib.exe PID 528 wrote to memory of 1684 528 Payload.exe attrib.exe PID 528 wrote to memory of 1684 528 Payload.exe attrib.exe PID 528 wrote to memory of 1684 528 Payload.exe attrib.exe PID 528 wrote to memory of 1684 528 Payload.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1064 attrib.exe 1880 attrib.exe 1684 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe"C:\Users\Admin\AppData\Local\Temp\7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
103aa6d5669a9f0246d44a5fadb767cd
SHA1b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
SHA2567c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
SHA5129ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
103aa6d5669a9f0246d44a5fadb767cd
SHA1b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
SHA2567c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
SHA5129ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeMD5
103aa6d5669a9f0246d44a5fadb767cd
SHA1b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
SHA2567c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
SHA5129ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
b9622246a2ed61171999ee678f6cc470
SHA1947ec795fbe97ce8c9b4622b456353716faceefa
SHA256bb8e11992d8f89c50638b95705372a1d5d136784844ccdb98e44ceb79af96056
SHA512102f07473a2ee840f197e8279042b7e5f591d85d238d8ed8a11309f9ed3a6b7f54771a9d163b326ac74f7ac7f411d1114f42e938599ce4d11caaf3cd4b881d1e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
f6cb7b462491f3bd6758b9848a25fa09
SHA113875fca8b81fcc40cff20a9337d04d704adbaac
SHA2568e1c016974f9f54989bacb9ee970508471d3dec83d0938a41c718bee667077df
SHA5123d86c05351743f0ba38e843f4022e2931bede4a273dfd1d257eff420d1329d998f6619209023033d8185743249f0bfd7ff50d0e5cd6bc2b065698aca303727f9
-
\Users\Admin\AppData\Local\Temp\Payload.exeMD5
103aa6d5669a9f0246d44a5fadb767cd
SHA1b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
SHA2567c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
SHA5129ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3
-
memory/528-59-0x0000000000000000-mapping.dmp
-
memory/528-63-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/528-66-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1064-61-0x0000000000000000-mapping.dmp
-
memory/1336-57-0x0000000000420000-0x0000000000427000-memory.dmpFilesize
28KB
-
memory/1336-56-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/1336-53-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1336-55-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1684-71-0x0000000000000000-mapping.dmp
-
memory/1880-70-0x0000000000000000-mapping.dmp