Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
02-01-2022 18:51
Behavioral task
behavioral1
Sample
306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe
Resource
win10-en-20211208
General
-
Target
306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe
-
Size
27KB
-
MD5
03aaaf240a48f950913695178125016a
-
SHA1
b7fe1523b02d05539f769f4beead332e5f0e18bc
-
SHA256
306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909
-
SHA512
6af11725e06efd01ca1429e567ca93d608436b165a23229eea623e25291967ce3f057af5c596974d86a5e0c55b38a27a0b121471f2b49cd25c543e77ce09460d
Malware Config
Extracted
njrat
v2.0
HacKed
zaki-botnet.portmap.host:5222
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 1344 Payload.exe -
Drops startup file 2 IoCs
Processes:
306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe Token: 33 1344 Payload.exe Token: SeIncBasePriorityPrivilege 1344 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exedescription pid process target process PID 2668 wrote to memory of 1344 2668 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe Payload.exe PID 2668 wrote to memory of 1344 2668 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe Payload.exe PID 2668 wrote to memory of 1344 2668 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe Payload.exe PID 2668 wrote to memory of 1188 2668 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe attrib.exe PID 2668 wrote to memory of 1188 2668 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe attrib.exe PID 2668 wrote to memory of 1188 2668 306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe"C:\Users\Admin\AppData\Local\Temp\306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
03aaaf240a48f950913695178125016a
SHA1b7fe1523b02d05539f769f4beead332e5f0e18bc
SHA256306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909
SHA5126af11725e06efd01ca1429e567ca93d608436b165a23229eea623e25291967ce3f057af5c596974d86a5e0c55b38a27a0b121471f2b49cd25c543e77ce09460d
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
03aaaf240a48f950913695178125016a
SHA1b7fe1523b02d05539f769f4beead332e5f0e18bc
SHA256306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909
SHA5126af11725e06efd01ca1429e567ca93d608436b165a23229eea623e25291967ce3f057af5c596974d86a5e0c55b38a27a0b121471f2b49cd25c543e77ce09460d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
1991f10d1bb9587a4dcc25f2bb8c8f9e
SHA15c9df522aed5a83549ac696e199db82a566bdd85
SHA256d357a14dee540d8f10bad73521e229b86a7789a4e9932724c526de1ff3df38c1
SHA5125d92dccecb7bf44e60a5b75d5add092e986aaccfc65a64a837d90cb10a38afb398bd1494061808e92ecd6c1cdb55202dcb6fbe688cd51b61433959ffeae7cb29
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
30a1e8d4c1d5393b551df0bd30231068
SHA1acd37b0c5e64b705e6184a184d11fa7856997cb3
SHA25643bc7531c86a8ae4933a6f1d36032a42ca7ef4afb37d25a6c8637712c01176a5
SHA512fd7bd945b17e45317e82de7b5110078fc76db4652d63b83d51b183c1b6ca4f42bf22d1415f070274d33865cbc01466f89221cbb25496455512b7041b6f2b889c
-
memory/1188-118-0x0000000000000000-mapping.dmp
-
memory/1344-116-0x0000000000000000-mapping.dmp
-
memory/1344-122-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/2668-115-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB