Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-11-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
Q4EtLThkYlEkFvu.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Q4EtLThkYlEkFvu.exe
Resource
win10-en-20211014
General
-
Target
Q4EtLThkYlEkFvu.exe
-
Size
474KB
-
MD5
18156edcb0549e6e856811b5a57b951d
-
SHA1
c9c773a0157562c8fa800aad23c670486fd63fbd
-
SHA256
8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
-
SHA512
c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
Malware Config
Extracted
njrat
v4.0
order1
45.137.22.146:5553
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Payload.exePayload.exepid process 1248 Payload.exe 1488 Payload.exe -
Drops startup file 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Q4EtLThkYlEkFvu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Q4EtLThkYlEkFvu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Payload.exe" Q4EtLThkYlEkFvu.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exePayload.exedescription pid process target process PID 2412 set thread context of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1248 set thread context of 1488 1248 Payload.exe Payload.exe -
Drops file in Windows directory 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exeattrib.exedescription ioc process File created C:\Windows\Payload.exe Q4EtLThkYlEkFvu.exe File opened for modification C:\Windows\Payload.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3232 schtasks.exe 2264 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1488 Payload.exe Token: 33 1488 Payload.exe Token: SeIncBasePriorityPrivilege 1488 Payload.exe Token: 33 1488 Payload.exe Token: SeIncBasePriorityPrivilege 1488 Payload.exe Token: 33 1488 Payload.exe Token: SeIncBasePriorityPrivilege 1488 Payload.exe Token: 33 1488 Payload.exe Token: SeIncBasePriorityPrivilege 1488 Payload.exe Token: 33 1488 Payload.exe Token: SeIncBasePriorityPrivilege 1488 Payload.exe Token: 33 1488 Payload.exe Token: SeIncBasePriorityPrivilege 1488 Payload.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Q4EtLThkYlEkFvu.exeQ4EtLThkYlEkFvu.exePayload.exedescription pid process target process PID 2412 wrote to memory of 3232 2412 Q4EtLThkYlEkFvu.exe schtasks.exe PID 2412 wrote to memory of 3232 2412 Q4EtLThkYlEkFvu.exe schtasks.exe PID 2412 wrote to memory of 3232 2412 Q4EtLThkYlEkFvu.exe schtasks.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2412 wrote to memory of 1832 2412 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1832 wrote to memory of 1248 1832 Q4EtLThkYlEkFvu.exe Payload.exe PID 1832 wrote to memory of 1248 1832 Q4EtLThkYlEkFvu.exe Payload.exe PID 1832 wrote to memory of 1248 1832 Q4EtLThkYlEkFvu.exe Payload.exe PID 1832 wrote to memory of 1960 1832 Q4EtLThkYlEkFvu.exe attrib.exe PID 1832 wrote to memory of 1960 1832 Q4EtLThkYlEkFvu.exe attrib.exe PID 1832 wrote to memory of 1960 1832 Q4EtLThkYlEkFvu.exe attrib.exe PID 1248 wrote to memory of 2264 1248 Payload.exe schtasks.exe PID 1248 wrote to memory of 2264 1248 Payload.exe schtasks.exe PID 1248 wrote to memory of 2264 1248 Payload.exe schtasks.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe PID 1248 wrote to memory of 1488 1248 Payload.exe Payload.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CBD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27A3.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\Payload.exe"3⤵
- Drops file in Windows directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4EtLThkYlEkFvu.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
f39dc7f3fcd45c5b85654093a9be1cd7
SHA1e6b05f26f3912fece3019976b30f8a45ce62dc56
SHA2569fbf8e6e7e4c29da69ae34498caa6a622990eda06105fdc30b5bbdfc7a5916ce
SHA5126d849f5f113a33297b6e2bdac82aa5c3b843c39c8430003881a0d74052b90359a864018f80414c38f23cd99da6eccf6efc153bba1954fab2df036cd1f724cd17
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
290cd837d2a0d0e96a19d0881c8b20aa
SHA1d2499dfe5e480e7297f7356dbf8d4dedcf623c9a
SHA256c7f2f4c8a97c65e74645dc1c63dc46a9a463968de209f0132c462a56a24a5b5d
SHA512c786161057cbc27b49faf9348cfb1359ee4df668ef784a8794860dedfc69db130ff9d1c60d300caf666c7a21b2da4628d3958f8b3a69ce252850ec47e6ec3e7c
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
memory/1248-131-0x0000000000000000-mapping.dmp
-
memory/1248-142-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/1488-147-0x000000000040836E-mapping.dmp
-
memory/1488-158-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/1488-155-0x0000000004F50000-0x0000000004FEC000-memory.dmpFilesize
624KB
-
memory/1832-125-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1832-126-0x000000000040836E-mapping.dmp
-
memory/1960-134-0x0000000000000000-mapping.dmp
-
memory/2264-145-0x0000000000000000-mapping.dmp
-
memory/2412-121-0x00000000057D0000-0x00000000057D7000-memory.dmpFilesize
28KB
-
memory/2412-120-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/2412-122-0x0000000008C70000-0x0000000008C71000-memory.dmpFilesize
4KB
-
memory/2412-115-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/2412-119-0x0000000005310000-0x000000000580E000-memory.dmpFilesize
5.0MB
-
memory/2412-118-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/2412-117-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/2412-123-0x0000000008C00000-0x0000000008C2C000-memory.dmpFilesize
176KB
-
memory/3232-124-0x0000000000000000-mapping.dmp