Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 13:32
Static task
static1
Behavioral task
behavioral1
Sample
289bce792735d436f48355e55ea0276f.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
289bce792735d436f48355e55ea0276f.exe
Resource
win10-en-20211014
General
-
Target
289bce792735d436f48355e55ea0276f.exe
-
Size
246KB
-
MD5
289bce792735d436f48355e55ea0276f
-
SHA1
1438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
-
SHA256
78b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
-
SHA512
f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
Malware Config
Extracted
njrat
v2.0
------(XxX)------
new.libya2020.com.ly:2020
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 1 IoCs
Processes:
289bce792735d436f48355e55ea0276f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 289bce792735d436f48355e55ea0276f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
289bce792735d436f48355e55ea0276f.exedescription pid process target process PID 2676 set thread context of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
289bce792735d436f48355e55ea0276f.exedescription pid process Token: SeDebugPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe Token: 33 584 289bce792735d436f48355e55ea0276f.exe Token: SeIncBasePriorityPrivilege 584 289bce792735d436f48355e55ea0276f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
289bce792735d436f48355e55ea0276f.exedescription pid process target process PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe PID 2676 wrote to memory of 584 2676 289bce792735d436f48355e55ea0276f.exe 289bce792735d436f48355e55ea0276f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\289bce792735d436f48355e55ea0276f.exe"C:\Users\Admin\AppData\Local\Temp\289bce792735d436f48355e55ea0276f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\289bce792735d436f48355e55ea0276f.exe"C:\Users\Admin\AppData\Local\Temp\289bce792735d436f48355e55ea0276f.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-124-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/584-125-0x000000000040839E-mapping.dmp
-
memory/584-130-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/584-133-0x0000000005E40000-0x0000000005E41000-memory.dmpFilesize
4KB
-
memory/2676-115-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/2676-117-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/2676-118-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/2676-119-0x0000000005190000-0x0000000005222000-memory.dmpFilesize
584KB
-
memory/2676-120-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/2676-121-0x0000000005510000-0x0000000005517000-memory.dmpFilesize
28KB
-
memory/2676-122-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/2676-123-0x0000000005ED0000-0x0000000005EF9000-memory.dmpFilesize
164KB