Analysis
-
max time kernel
169s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 18:44
Static task
static1
Behavioral task
behavioral1
Sample
ad0f6231d44f6d0e08379256a3f765c0.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ad0f6231d44f6d0e08379256a3f765c0.exe
Resource
win10-en-20211014
General
-
Target
ad0f6231d44f6d0e08379256a3f765c0.exe
-
Size
432KB
-
MD5
ad0f6231d44f6d0e08379256a3f765c0
-
SHA1
765c2ba3990b9c2a603a0012dfac8e34e39eda38
-
SHA256
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
-
SHA512
8bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
Malware Config
Extracted
njrat
0.7d
2021
aqq.linkpc.net:999
a1776750d898d3976ceabc94432acfb1
-
reg_key
a1776750d898d3976ceabc94432acfb1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System64.exepid process 2232 System64.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System64.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .." System64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .." System64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
System64.exedescription pid process Token: SeDebugPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe Token: 33 2232 System64.exe Token: SeIncBasePriorityPrivilege 2232 System64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ad0f6231d44f6d0e08379256a3f765c0.exeSystem64.exedescription pid process target process PID 504 wrote to memory of 2232 504 ad0f6231d44f6d0e08379256a3f765c0.exe System64.exe PID 504 wrote to memory of 2232 504 ad0f6231d44f6d0e08379256a3f765c0.exe System64.exe PID 2232 wrote to memory of 632 2232 System64.exe netsh.exe PID 2232 wrote to memory of 632 2232 System64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad0f6231d44f6d0e08379256a3f765c0.exe"C:\Users\Admin\AppData\Local\Temp\ad0f6231d44f6d0e08379256a3f765c0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System64.exe"C:\Users\Admin\AppData\Roaming\System64.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System64.exe" "System64.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System64.exeMD5
ad0f6231d44f6d0e08379256a3f765c0
SHA1765c2ba3990b9c2a603a0012dfac8e34e39eda38
SHA256a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
SHA5128bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
-
C:\Users\Admin\AppData\Roaming\System64.exeMD5
ad0f6231d44f6d0e08379256a3f765c0
SHA1765c2ba3990b9c2a603a0012dfac8e34e39eda38
SHA256a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
SHA5128bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
-
memory/504-118-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/504-120-0x0000000000880000-0x0000000000886000-memory.dmpFilesize
24KB
-
memory/632-127-0x0000000000000000-mapping.dmp
-
memory/2232-121-0x0000000000000000-mapping.dmp
-
memory/2232-128-0x00000000016E0000-0x00000000016E2000-memory.dmpFilesize
8KB