Analysis
-
max time kernel
61s -
max time network
59s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 20:29
Behavioral task
behavioral1
Sample
gtarpcheat.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
gtarpcheat.exe
Resource
win10-en-20211208
General
-
Target
gtarpcheat.exe
-
Size
103KB
-
MD5
c1baf97f7fb46569c697c3d719ad6cec
-
SHA1
82396f8670a064715b8c1bf6d54b84e3ccc90331
-
SHA256
9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb
-
SHA512
17bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb
Malware Config
Extracted
njrat
im523
GTA RP
microsoftsecurityessentials.duckdns.org:1177
2d2d20531cddc7f18203ecb28deee8a9
-
reg_key
2d2d20531cddc7f18203ecb28deee8a9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 756 explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d2d20531cddc7f18203ecb28deee8a9.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d2d20531cddc7f18203ecb28deee8a9.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d2d20531cddc7f18203ecb28deee8a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d2d20531cddc7f18203ecb28deee8a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3496 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exepid process 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 756 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exetaskkill.exedescription pid process Token: SeDebugPrivilege 756 explorer.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: 33 756 explorer.exe Token: SeIncBasePriorityPrivilege 756 explorer.exe Token: 33 756 explorer.exe Token: SeIncBasePriorityPrivilege 756 explorer.exe Token: 33 756 explorer.exe Token: SeIncBasePriorityPrivilege 756 explorer.exe Token: 33 756 explorer.exe Token: SeIncBasePriorityPrivilege 756 explorer.exe Token: 33 756 explorer.exe Token: SeIncBasePriorityPrivilege 756 explorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
gtarpcheat.exeexplorer.exedescription pid process target process PID 3684 wrote to memory of 756 3684 gtarpcheat.exe explorer.exe PID 3684 wrote to memory of 756 3684 gtarpcheat.exe explorer.exe PID 3684 wrote to memory of 756 3684 gtarpcheat.exe explorer.exe PID 756 wrote to memory of 3468 756 explorer.exe netsh.exe PID 756 wrote to memory of 3468 756 explorer.exe netsh.exe PID 756 wrote to memory of 3468 756 explorer.exe netsh.exe PID 756 wrote to memory of 3496 756 explorer.exe taskkill.exe PID 756 wrote to memory of 3496 756 explorer.exe taskkill.exe PID 756 wrote to memory of 3496 756 explorer.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gtarpcheat.exe"C:\Users\Admin\AppData\Local\Temp\gtarpcheat.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵PID:3468
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c1baf97f7fb46569c697c3d719ad6cec
SHA182396f8670a064715b8c1bf6d54b84e3ccc90331
SHA2569c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb
SHA51217bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb
-
MD5
c1baf97f7fb46569c697c3d719ad6cec
SHA182396f8670a064715b8c1bf6d54b84e3ccc90331
SHA2569c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb
SHA51217bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb