Analysis
-
max time kernel
153s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 12:51
Behavioral task
behavioral1
Sample
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe
Resource
win10v2004-en-20220113
General
-
Target
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe
-
Size
29KB
-
MD5
a99137353ba10ea6308a00dbf9010dd1
-
SHA1
7ed1334e8c33518e941ae230e0ed2cb1c94b4b53
-
SHA256
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786
-
SHA512
563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855
Malware Config
Extracted
njrat
0.6.4
Person
127.0.0.1:456
dae31c02cb06222e776b9ccb9207edb1
-
reg_key
dae31c02cb06222e776b9ccb9207edb1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 520 system.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exepid process 1540 b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
system.exepid process 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe 520 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 520 system.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exesystem.exedescription pid process target process PID 1540 wrote to memory of 520 1540 b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe system.exe PID 1540 wrote to memory of 520 1540 b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe system.exe PID 1540 wrote to memory of 520 1540 b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe system.exe PID 1540 wrote to memory of 520 1540 b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe system.exe PID 520 wrote to memory of 872 520 system.exe netsh.exe PID 520 wrote to memory of 872 520 system.exe netsh.exe PID 520 wrote to memory of 872 520 system.exe netsh.exe PID 520 wrote to memory of 872 520 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe"C:\Users\Admin\AppData\Local\Temp\b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system.exe" "system.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
a99137353ba10ea6308a00dbf9010dd1
SHA17ed1334e8c33518e941ae230e0ed2cb1c94b4b53
SHA256b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786
SHA512563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
a99137353ba10ea6308a00dbf9010dd1
SHA17ed1334e8c33518e941ae230e0ed2cb1c94b4b53
SHA256b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786
SHA512563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855
-
\Users\Admin\AppData\Roaming\system.exeMD5
a99137353ba10ea6308a00dbf9010dd1
SHA17ed1334e8c33518e941ae230e0ed2cb1c94b4b53
SHA256b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786
SHA512563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855
-
memory/520-60-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/520-62-0x00000000002A5000-0x00000000002B6000-memory.dmpFilesize
68KB
-
memory/1540-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1540-55-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB