Analysis
-
max time kernel
4294217s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
27-03-2022 16:27
Behavioral task
behavioral1
Sample
29761cea6322ff4d985807bd6367ccd0.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
29761cea6322ff4d985807bd6367ccd0.exe
Resource
win10v2004-20220310-en
General
-
Target
29761cea6322ff4d985807bd6367ccd0.exe
-
Size
37KB
-
MD5
29761cea6322ff4d985807bd6367ccd0
-
SHA1
c66cea52ca72cc85344a55f872a1b77fad4e895b
-
SHA256
877968fc395c36225759ca3a735c35ee708a1be05b23b35c8efa8c7b8ef86061
-
SHA512
fad86ad9faf1357259386344ac5e7b047c09dd75be017c2bfd907ba6c8c0e2a98a3102881cbba9c71f2c1259e2a72b0146be16137af3618cc675d08d9f31852e
Malware Config
Extracted
njrat
im523
Bot
94.244.28.246:31280
88f496bc65b64e4436a26a2698687f66
-
reg_key
88f496bc65b64e4436a26a2698687f66
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1948 system.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
system.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88f496bc65b64e4436a26a2698687f66.exe system.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88f496bc65b64e4436a26a2698687f66.exe system.exe -
Loads dropped DLL 1 IoCs
Processes:
29761cea6322ff4d985807bd6367ccd0.exepid process 1780 29761cea6322ff4d985807bd6367ccd0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\88f496bc65b64e4436a26a2698687f66 = "\"C:\\ProgramData\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\88f496bc65b64e4436a26a2698687f66 = "\"C:\\ProgramData\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe Token: 33 1948 system.exe Token: SeIncBasePriorityPrivilege 1948 system.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
29761cea6322ff4d985807bd6367ccd0.exesystem.exedescription pid process target process PID 1780 wrote to memory of 1948 1780 29761cea6322ff4d985807bd6367ccd0.exe system.exe PID 1780 wrote to memory of 1948 1780 29761cea6322ff4d985807bd6367ccd0.exe system.exe PID 1780 wrote to memory of 1948 1780 29761cea6322ff4d985807bd6367ccd0.exe system.exe PID 1780 wrote to memory of 1948 1780 29761cea6322ff4d985807bd6367ccd0.exe system.exe PID 1948 wrote to memory of 2040 1948 system.exe netsh.exe PID 1948 wrote to memory of 2040 1948 system.exe netsh.exe PID 1948 wrote to memory of 2040 1948 system.exe netsh.exe PID 1948 wrote to memory of 2040 1948 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29761cea6322ff4d985807bd6367ccd0.exe"C:\Users\Admin\AppData\Local\Temp\29761cea6322ff4d985807bd6367ccd0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\system.exe"C:\ProgramData\system.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\system.exeFilesize
37KB
MD529761cea6322ff4d985807bd6367ccd0
SHA1c66cea52ca72cc85344a55f872a1b77fad4e895b
SHA256877968fc395c36225759ca3a735c35ee708a1be05b23b35c8efa8c7b8ef86061
SHA512fad86ad9faf1357259386344ac5e7b047c09dd75be017c2bfd907ba6c8c0e2a98a3102881cbba9c71f2c1259e2a72b0146be16137af3618cc675d08d9f31852e
-
C:\ProgramData\system.exeFilesize
37KB
MD529761cea6322ff4d985807bd6367ccd0
SHA1c66cea52ca72cc85344a55f872a1b77fad4e895b
SHA256877968fc395c36225759ca3a735c35ee708a1be05b23b35c8efa8c7b8ef86061
SHA512fad86ad9faf1357259386344ac5e7b047c09dd75be017c2bfd907ba6c8c0e2a98a3102881cbba9c71f2c1259e2a72b0146be16137af3618cc675d08d9f31852e
-
\ProgramData\system.exeFilesize
37KB
MD529761cea6322ff4d985807bd6367ccd0
SHA1c66cea52ca72cc85344a55f872a1b77fad4e895b
SHA256877968fc395c36225759ca3a735c35ee708a1be05b23b35c8efa8c7b8ef86061
SHA512fad86ad9faf1357259386344ac5e7b047c09dd75be017c2bfd907ba6c8c0e2a98a3102881cbba9c71f2c1259e2a72b0146be16137af3618cc675d08d9f31852e
-
memory/1780-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1780-55-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1948-57-0x0000000000000000-mapping.dmp
-
memory/1948-61-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/2040-62-0x0000000000000000-mapping.dmp