Analysis
-
max time kernel
154s -
max time network
183s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-10-2021 18:44
Static task
static1
Behavioral task
behavioral1
Sample
ad0f6231d44f6d0e08379256a3f765c0.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ad0f6231d44f6d0e08379256a3f765c0.exe
Resource
win10-en-20211014
General
-
Target
ad0f6231d44f6d0e08379256a3f765c0.exe
-
Size
432KB
-
MD5
ad0f6231d44f6d0e08379256a3f765c0
-
SHA1
765c2ba3990b9c2a603a0012dfac8e34e39eda38
-
SHA256
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
-
SHA512
8bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
Malware Config
Extracted
njrat
0.7d
2021
aqq.linkpc.net:999
a1776750d898d3976ceabc94432acfb1
-
reg_key
a1776750d898d3976ceabc94432acfb1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System64.exepid process 1812 System64.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System64.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .." System64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .." System64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
System64.exedescription pid process Token: SeDebugPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe Token: 33 1812 System64.exe Token: SeIncBasePriorityPrivilege 1812 System64.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ad0f6231d44f6d0e08379256a3f765c0.exeSystem64.exedescription pid process target process PID 2016 wrote to memory of 1812 2016 ad0f6231d44f6d0e08379256a3f765c0.exe System64.exe PID 2016 wrote to memory of 1812 2016 ad0f6231d44f6d0e08379256a3f765c0.exe System64.exe PID 2016 wrote to memory of 1812 2016 ad0f6231d44f6d0e08379256a3f765c0.exe System64.exe PID 1812 wrote to memory of 1176 1812 System64.exe netsh.exe PID 1812 wrote to memory of 1176 1812 System64.exe netsh.exe PID 1812 wrote to memory of 1176 1812 System64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad0f6231d44f6d0e08379256a3f765c0.exe"C:\Users\Admin\AppData\Local\Temp\ad0f6231d44f6d0e08379256a3f765c0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System64.exe"C:\Users\Admin\AppData\Roaming\System64.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System64.exe" "System64.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System64.exeMD5
ad0f6231d44f6d0e08379256a3f765c0
SHA1765c2ba3990b9c2a603a0012dfac8e34e39eda38
SHA256a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
SHA5128bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
-
C:\Users\Admin\AppData\Roaming\System64.exeMD5
ad0f6231d44f6d0e08379256a3f765c0
SHA1765c2ba3990b9c2a603a0012dfac8e34e39eda38
SHA256a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
SHA5128bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
-
memory/1176-63-0x0000000000000000-mapping.dmp
-
memory/1176-64-0x000007FEFBC91000-0x000007FEFBC93000-memory.dmpFilesize
8KB
-
memory/1812-57-0x0000000000000000-mapping.dmp
-
memory/1812-60-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/1812-65-0x000000001B440000-0x000000001B442000-memory.dmpFilesize
8KB
-
memory/2016-54-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/2016-56-0x00000000003D0000-0x00000000003D6000-memory.dmpFilesize
24KB