Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-11-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
Q4EtLThkYlEkFvu.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Q4EtLThkYlEkFvu.exe
Resource
win10-en-20211014
General
-
Target
Q4EtLThkYlEkFvu.exe
-
Size
474KB
-
MD5
18156edcb0549e6e856811b5a57b951d
-
SHA1
c9c773a0157562c8fa800aad23c670486fd63fbd
-
SHA256
8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
-
SHA512
c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
Malware Config
Extracted
njrat
v4.0
order1
45.137.22.146:5553
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Payload.exePayload.exepid process 2016 Payload.exe 1196 Payload.exe -
Drops startup file 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Q4EtLThkYlEkFvu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Q4EtLThkYlEkFvu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Payload.exe" Q4EtLThkYlEkFvu.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exePayload.exedescription pid process target process PID 1588 set thread context of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 2016 set thread context of 1196 2016 Payload.exe Payload.exe -
Drops file in Windows directory 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exeattrib.exedescription ioc process File created C:\Windows\Payload.exe Q4EtLThkYlEkFvu.exe File opened for modification C:\Windows\Payload.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Q4EtLThkYlEkFvu.exeQ4EtLThkYlEkFvu.exePayload.exedescription pid process target process PID 1588 wrote to memory of 1808 1588 Q4EtLThkYlEkFvu.exe schtasks.exe PID 1588 wrote to memory of 1808 1588 Q4EtLThkYlEkFvu.exe schtasks.exe PID 1588 wrote to memory of 1808 1588 Q4EtLThkYlEkFvu.exe schtasks.exe PID 1588 wrote to memory of 1808 1588 Q4EtLThkYlEkFvu.exe schtasks.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1588 wrote to memory of 640 1588 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 640 wrote to memory of 2016 640 Q4EtLThkYlEkFvu.exe Payload.exe PID 640 wrote to memory of 2016 640 Q4EtLThkYlEkFvu.exe Payload.exe PID 640 wrote to memory of 2016 640 Q4EtLThkYlEkFvu.exe Payload.exe PID 640 wrote to memory of 2016 640 Q4EtLThkYlEkFvu.exe Payload.exe PID 640 wrote to memory of 1680 640 Q4EtLThkYlEkFvu.exe attrib.exe PID 640 wrote to memory of 1680 640 Q4EtLThkYlEkFvu.exe attrib.exe PID 640 wrote to memory of 1680 640 Q4EtLThkYlEkFvu.exe attrib.exe PID 640 wrote to memory of 1680 640 Q4EtLThkYlEkFvu.exe attrib.exe PID 2016 wrote to memory of 912 2016 Payload.exe schtasks.exe PID 2016 wrote to memory of 912 2016 Payload.exe schtasks.exe PID 2016 wrote to memory of 912 2016 Payload.exe schtasks.exe PID 2016 wrote to memory of 912 2016 Payload.exe schtasks.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe PID 2016 wrote to memory of 1196 2016 Payload.exe Payload.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFCD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp980B.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\Payload.exe"3⤵
- Drops file in Windows directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
e8f49d20662174923b6e40af8ef7bce3
SHA1ef2230d6b9376a5da92df975b1e51ba8d0d999c5
SHA2568d3a021ccfcf82e2d7f51df69709ffbabdb9b598507e8a62276d2f35d4c3dcfe
SHA512c7d61d3de5ed17747d43c0e24a9206fe655e8695b382ffbe3e97f9d20d07cbade749a6e63c314edf272c059a07afbd57cfae12a7c7a8080073514de0648da1d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
194bd8676b7e2dfc56bbb53e57bbf169
SHA1840962b12c2a0518178a81ac3f75837d20d764af
SHA2567b9e08396ce946735eb3a8f04d85cdce0813c0f5091c2032267f455ee473cd60
SHA512e486f7c901e7dafadb9eee9298af158c9b80eb690c874be288aa439ed96743ed5be317e528972f72ea8493c81a81e29420749cca53bf1983f664cf24d1070fb7
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
memory/640-69-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/640-61-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/640-63-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/640-64-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/640-65-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/640-66-0x000000000040836E-mapping.dmp
-
memory/640-67-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/640-62-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/912-79-0x0000000000000000-mapping.dmp
-
memory/1196-85-0x000000000040836E-mapping.dmp
-
memory/1196-92-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1588-55-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/1588-59-0x0000000000D20000-0x0000000000D4C000-memory.dmpFilesize
176KB
-
memory/1588-58-0x0000000000390000-0x0000000000397000-memory.dmpFilesize
28KB
-
memory/1588-57-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/1680-74-0x0000000000000000-mapping.dmp
-
memory/1808-60-0x0000000000000000-mapping.dmp
-
memory/2016-70-0x0000000000000000-mapping.dmp
-
memory/2016-73-0x0000000001080000-0x0000000001081000-memory.dmpFilesize
4KB
-
memory/2016-77-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB