Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
08-11-2021 05:55
Behavioral task
behavioral1
Sample
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe
Resource
win10-en-20211014
General
-
Target
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe
-
Size
32KB
-
MD5
01285e4a7c3a833728dd600fa8f33d93
-
SHA1
4636ab9028287ddfe799dc6465d7b2666f6d6f47
-
SHA256
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
-
SHA512
e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
Malware Config
Extracted
njrat
좀비
6506cdba2a23ee6c81479f21c5d918fd
-
reg_key
6506cdba2a23ee6c81479f21c5d918fd
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CRONOS.exepid process 3160 CRONOS.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
CRONOS.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6506cdba2a23ee6c81479f21c5d918fd.exe CRONOS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6506cdba2a23ee6c81479f21c5d918fd.exe CRONOS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CRONOS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6506cdba2a23ee6c81479f21c5d918fd = "\"C:\\Users\\Admin\\AppData\\Roaming\\CRONOS.exe\" .." CRONOS.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\6506cdba2a23ee6c81479f21c5d918fd = "\"C:\\Users\\Admin\\AppData\\Roaming\\CRONOS.exe\" .." CRONOS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
CRONOS.exedescription pid process Token: SeDebugPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe Token: 33 3160 CRONOS.exe Token: SeIncBasePriorityPrivilege 3160 CRONOS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exeCRONOS.exedescription pid process target process PID 2344 wrote to memory of 3160 2344 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 2344 wrote to memory of 3160 2344 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 2344 wrote to memory of 3160 2344 9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe CRONOS.exe PID 3160 wrote to memory of 504 3160 CRONOS.exe netsh.exe PID 3160 wrote to memory of 504 3160 CRONOS.exe netsh.exe PID 3160 wrote to memory of 504 3160 CRONOS.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe"C:\Users\Admin\AppData\Local\Temp\9697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\CRONOS.exe"C:\Users\Admin\AppData\Roaming\CRONOS.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\CRONOS.exe" "CRONOS.exe" ENABLE3⤵PID:504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CRONOS.exeMD5
01285e4a7c3a833728dd600fa8f33d93
SHA14636ab9028287ddfe799dc6465d7b2666f6d6f47
SHA2569697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
SHA512e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
-
C:\Users\Admin\AppData\Roaming\CRONOS.exeMD5
01285e4a7c3a833728dd600fa8f33d93
SHA14636ab9028287ddfe799dc6465d7b2666f6d6f47
SHA2569697d0ca386be540d9acb955cf074ca3aec0f7248f62c275751e83ac5947645d
SHA512e86e740378282fc577c7f9a50c7ba70647924f42471f5a016a16cb3395c1777b3f6be04f99995c5ab16dff808dc52f46005869497b98be8e6f3dc85dd15dae0b
-
memory/504-120-0x0000000000000000-mapping.dmp
-
memory/2344-115-0x00000000015A0000-0x00000000015A1000-memory.dmpFilesize
4KB
-
memory/3160-116-0x0000000000000000-mapping.dmp
-
memory/3160-119-0x0000000002B30000-0x0000000002B31000-memory.dmpFilesize
4KB