Analysis
-
max time kernel
155s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
03-02-2022 15:57
Static task
static1
Behavioral task
behavioral1
Sample
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
Resource
win10v2004-en-20220112
General
-
Target
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
-
Size
332KB
-
MD5
349d353065a260a6cb340666ae9d5f06
-
SHA1
049c76e212e1e7368c368eb1b47bf18df84f2d61
-
SHA256
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
-
SHA512
ecd932d518ef32d2c6c25927c9f0298ab380651078df8b3c837ad7027875574b9bb2764f9ac22bc30d65f816313dbf77554b688bcbaec5a1519c0fa6f1fe5293
Malware Config
Extracted
njrat
0.7d
Victime
kouji.ddns.net:1177
3c8548e6ad9ecf00a0a44c81e84745f1
-
reg_key
3c8548e6ad9ecf00a0a44c81e84745f1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Crack.exesuper.exewinlogon.exepid process 1156 Crack.exe 1944 super.exe 1964 winlogon.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c8548e6ad9ecf00a0a44c81e84745f1.exe winlogon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c8548e6ad9ecf00a0a44c81e84745f1.exe winlogon.exe -
Loads dropped DLL 10 IoCs
Processes:
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exesuper.exepid process 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe 1944 super.exe 1944 super.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3c8548e6ad9ecf00a0a44c81e84745f1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\3c8548e6ad9ecf00a0a44c81e84745f1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .." winlogon.exe -
Drops file in Program Files directory 6 IoCs
Processes:
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exedescription ioc process File opened for modification C:\Program Files (x86)\udat\Crack.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File created C:\Program Files (x86)\udat\super.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File opened for modification C:\Program Files (x86)\udat\super.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File opened for modification C:\Program Files (x86)\udat 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File created C:\Program Files (x86)\udat\__tmp_rar_sfx_access_check_199478 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe File created C:\Program Files (x86)\udat\Crack.exe 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
Crack.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main Crack.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Crack.exepid process 1156 Crack.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
winlogon.exedescription pid process Token: SeDebugPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe Token: 33 1964 winlogon.exe Token: SeIncBasePriorityPrivilege 1964 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Crack.exepid process 1156 Crack.exe 1156 Crack.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exesuper.exewinlogon.exedescription pid process target process PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1156 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe Crack.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1628 wrote to memory of 1944 1628 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe super.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1944 wrote to memory of 1964 1944 super.exe winlogon.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe PID 1964 wrote to memory of 2012 1964 winlogon.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe"C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\udat\Crack.exe"C:\Program Files (x86)\udat\Crack.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\udat\super.exe"C:\Program Files (x86)\udat\super.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
C:\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
C:\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
C:\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
C:\Users\Admin\AppData\Roaming\winlogon.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
C:\Users\Admin\AppData\Roaming\winlogon.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
\Program Files (x86)\udat\Crack.exeMD5
1c626edcdad864d70de9befdf08bf9c1
SHA1cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e
SHA256e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a
SHA512b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9
-
\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
\Program Files (x86)\udat\super.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
\Users\Admin\AppData\Roaming\winlogon.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
\Users\Admin\AppData\Roaming\winlogon.exeMD5
a82bd9f52870c56eaf1c5b671675fde3
SHA1497194d1414df0581ea12da2f38c3da71ef81b70
SHA25699a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0
SHA512eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7
-
memory/1628-54-0x0000000075431000-0x0000000075433000-memory.dmpFilesize
8KB
-
memory/1944-69-0x0000000000A00000-0x0000000000A3E000-memory.dmpFilesize
248KB
-
memory/1944-70-0x0000000000310000-0x000000000031C000-memory.dmpFilesize
48KB
-
memory/1944-71-0x0000000000640000-0x00000000007B3000-memory.dmpFilesize
1.4MB
-
memory/1964-86-0x0000000000940000-0x000000000097E000-memory.dmpFilesize
248KB
-
memory/1964-87-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB