Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-10-2021 02:32
Static task
static1
Behavioral task
behavioral1
Sample
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
Resource
win10v20210408
General
-
Target
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
-
Size
395KB
-
MD5
72a2512b36128f94127a7206df3a5032
-
SHA1
6a3873d420dad9f5f20ce7f8493efc3c2cfe5a18
-
SHA256
8b54ac281ea90d359b212b1ce7ffd0b4ac5cab9ee2f93bd9ca393b992556e80a
-
SHA512
2122b37537c94960ba2154e8c15acd2b3983cf53314e8368b02ee87956e8d98287163f64917a844be30dae8a7c0936604b4ec94df0fc81192d270865ac640166
Malware Config
Extracted
njrat
0.7d
Lammer
6.tcp.ngrok.io:16860
142514b06c5331e576c2b748ba1ec681
-
reg_key
142514b06c5331e576c2b748ba1ec681
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
server.EXECSGhost-V4.EXEtemp_wrapped_31366.exepid process 296 server.EXE 2272 CSGhost-V4.EXE 3232 temp_wrapped_31366.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe server.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe server.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .." server.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .." server.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
temp_wrapped_31366.exepid process 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe 3232 temp_wrapped_31366.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.EXEdescription pid process Token: SeDebugPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE Token: 33 296 server.EXE Token: SeIncBasePriorityPrivilege 296 server.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CSGhost-V4.EXEtemp_wrapped_31366.exepid process 2272 CSGhost-V4.EXE 3232 temp_wrapped_31366.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exeCSGhost-V4.EXEserver.EXEdescription pid process target process PID 1400 wrote to memory of 296 1400 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1400 wrote to memory of 296 1400 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1400 wrote to memory of 296 1400 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe server.EXE PID 1400 wrote to memory of 2272 1400 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe CSGhost-V4.EXE PID 1400 wrote to memory of 2272 1400 8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe CSGhost-V4.EXE PID 2272 wrote to memory of 3232 2272 CSGhost-V4.EXE temp_wrapped_31366.exe PID 2272 wrote to memory of 3232 2272 CSGhost-V4.EXE temp_wrapped_31366.exe PID 2272 wrote to memory of 3232 2272 CSGhost-V4.EXE temp_wrapped_31366.exe PID 296 wrote to memory of 1756 296 server.EXE netsh.exe PID 296 wrote to memory of 1756 296 server.EXE netsh.exe PID 296 wrote to memory of 1756 296 server.EXE netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe"C:\Users\Admin\AppData\Local\Temp\8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.EXE"C:\Users\Admin\AppData\Roaming\server.EXE"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.EXE" "server.EXE" ENABLE3⤵
-
C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exeMD5
6626698df959dedebe4bba05a5212cb6
SHA144b29eea5e11a7805fe74df6d7acc708d4e2c04f
SHA256ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a
SHA512312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exeMD5
6626698df959dedebe4bba05a5212cb6
SHA144b29eea5e11a7805fe74df6d7acc708d4e2c04f
SHA256ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a
SHA512312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8
-
C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXEMD5
f46ebc4410101fc838ca6dbab76c90e1
SHA1f687b1880256cf8261c16a18cea4b5d2b76c92d3
SHA256724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0
SHA512244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1
-
C:\Users\Admin\AppData\Roaming\CSGhost-v4.exeMD5
f46ebc4410101fc838ca6dbab76c90e1
SHA1f687b1880256cf8261c16a18cea4b5d2b76c92d3
SHA256724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0
SHA512244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1
-
C:\Users\Admin\AppData\Roaming\server.EXEMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
memory/296-116-0x0000000000000000-mapping.dmp
-
memory/296-125-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB
-
memory/1400-114-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1400-115-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1756-126-0x0000000000000000-mapping.dmp
-
memory/2272-119-0x0000000000000000-mapping.dmp
-
memory/3232-122-0x0000000000000000-mapping.dmp