Analysis
-
max time kernel
150s -
max time network
193s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 02:32
Static task
static1
Behavioral task
behavioral1
Sample
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
Resource
win10v20210408
General
-
Target
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
-
Size
395KB
-
MD5
72a2512b36128f94127a7206df3a5032
-
SHA1
6a3873d420dad9f5f20ce7f8493efc3c2cfe5a18
-
SHA256
8b54ac281ea90d359b212b1ce7ffd0b4ac5cab9ee2f93bd9ca393b992556e80a
-
SHA512
2122b37537c94960ba2154e8c15acd2b3983cf53314e8368b02ee87956e8d98287163f64917a844be30dae8a7c0936604b4ec94df0fc81192d270865ac640166
Malware Config
Extracted
njrat
0.7d
Lammer
6.tcp.ngrok.io:16860
142514b06c5331e576c2b748ba1ec681
-
reg_key
142514b06c5331e576c2b748ba1ec681
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
server.EXECSGhost-V4.EXEtemp_wrapped_31366.exepid process 1720 server.EXE 1672 CSGhost-V4.EXE 316 temp_wrapped_31366.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe server.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe server.EXE -
Loads dropped DLL 4 IoCs
Processes:
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exepid process 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .." server.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .." server.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.EXEdescription pid process Token: SeDebugPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE Token: 33 1720 server.EXE Token: SeIncBasePriorityPrivilege 1720 server.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exeCSGhost-V4.EXEserver.EXEdescription pid process target process PID 1988 wrote to memory of 1720 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1988 wrote to memory of 1720 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1988 wrote to memory of 1720 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1988 wrote to memory of 1720 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1988 wrote to memory of 1672 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe CSGhost-V4.EXE PID 1988 wrote to memory of 1672 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe CSGhost-V4.EXE PID 1988 wrote to memory of 1672 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe CSGhost-V4.EXE PID 1988 wrote to memory of 1672 1988 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe CSGhost-V4.EXE PID 1672 wrote to memory of 316 1672 CSGhost-V4.EXE temp_wrapped_31366.exe PID 1672 wrote to memory of 316 1672 CSGhost-V4.EXE temp_wrapped_31366.exe PID 1672 wrote to memory of 316 1672 CSGhost-V4.EXE temp_wrapped_31366.exe PID 1672 wrote to memory of 316 1672 CSGhost-V4.EXE temp_wrapped_31366.exe PID 1720 wrote to memory of 788 1720 server.EXE netsh.exe PID 1720 wrote to memory of 788 1720 server.EXE netsh.exe PID 1720 wrote to memory of 788 1720 server.EXE netsh.exe PID 1720 wrote to memory of 788 1720 server.EXE netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe"C:\Users\Admin\AppData\Local\Temp\8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.EXE"C:\Users\Admin\AppData\Roaming\server.EXE"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.EXE" "server.EXE" ENABLE3⤵
-
C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exeMD5
6626698df959dedebe4bba05a5212cb6
SHA144b29eea5e11a7805fe74df6d7acc708d4e2c04f
SHA256ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a
SHA512312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8
-
C:\Users\Admin\AppData\Roaming\CSGhost-v4.exeMD5
f46ebc4410101fc838ca6dbab76c90e1
SHA1f687b1880256cf8261c16a18cea4b5d2b76c92d3
SHA256724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0
SHA512244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1
-
C:\Users\Admin\AppData\Roaming\server.EXEMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
\Users\Admin\AppData\Roaming\CSGhost-v4.exeMD5
f46ebc4410101fc838ca6dbab76c90e1
SHA1f687b1880256cf8261c16a18cea4b5d2b76c92d3
SHA256724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0
SHA512244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1
-
\Users\Admin\AppData\Roaming\server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
\Users\Admin\AppData\Roaming\server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
\Users\Admin\AppData\Roaming\server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
memory/316-71-0x0000000000000000-mapping.dmp
-
memory/788-75-0x0000000000000000-mapping.dmp
-
memory/1672-68-0x0000000000000000-mapping.dmp
-
memory/1720-64-0x0000000000000000-mapping.dmp
-
memory/1720-73-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB
-
memory/1988-60-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB