Analysis
-
max time kernel
4294211s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
28-03-2022 16:29
Static task
static1
Behavioral task
behavioral1
Sample
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
Resource
win10v2004-en-20220113
General
-
Target
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
-
Size
3.2MB
-
MD5
1f4471d1fb4cf66f97b4fefb6ce5f489
-
SHA1
f26121f7400b3284a5ba231678b8ca82f77cb0e1
-
SHA256
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad
-
SHA512
f57289013e805d84d78e978adfbc663d050c92bff57c53b554977892ac355bf75caf9795ffcddb09b44c16f47b10cc10a293b1cb11178b37289c14bba4db670a
Malware Config
Extracted
njrat
Haf4me
zombie
getrattedlol.inner574.kro.kr:666
1553eeb1b07c73f12f12cb58bb315e07
-
reg_key
1553eeb1b07c73f12f12cb58bb315e07
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
CDS.execrypted.exepid process 804 CDS.exe 740 crypted.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
crypted.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1553eeb1b07c73f12f12cb58bb315e07.exe crypted.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1553eeb1b07c73f12f12cb58bb315e07.exe crypted.exe -
Loads dropped DLL 8 IoCs
Processes:
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exeCDS.execrypted.exepid process 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe 804 CDS.exe 804 CDS.exe 804 CDS.exe 804 CDS.exe 804 CDS.exe 804 CDS.exe 740 crypted.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.execrypted.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\1553eeb1b07c73f12f12cb58bb315e07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\crypted.exe\" .." crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1553eeb1b07c73f12f12cb58bb315e07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\crypted.exe\" .." crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 804 CDS.exe 804 CDS.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
crypted.exedescription pid process Token: SeDebugPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe Token: 33 740 crypted.exe Token: SeIncBasePriorityPrivilege 740 crypted.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 804 CDS.exe 804 CDS.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exeCDS.execrypted.exedescription pid process target process PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 1764 wrote to memory of 804 1764 e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe CDS.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 804 wrote to memory of 740 804 CDS.exe crypted.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe PID 740 wrote to memory of 1048 740 crypted.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe"C:\Users\Admin\AppData\Local\Temp\e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe" "crypted.exe" ENABLE4⤵PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngFilesize
2KB
MD5340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddFilesize
13KB
MD53e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datFilesize
23KB
MD55b492b84c9ea7a306eb200d978849ff2
SHA10b5f5673318e44d61026abf70b6b19006ba4a176
SHA2565fd8a3204931d21166802abc791bf6a7508778e674c2529d0521767d657926cc
SHA51294be06a8f4b904c40f0adc8bdd6508cfb0dae9b2f08681f11002ecb9a1eb31aa9fc182b0a73fdd3342926da1d8c008e984d70de4f4f5d284bf1d1228b3d0643f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
23KB
MD57ddf4766f38f2afff31e9ba389e16356
SHA1ebbf590eee2c682ca37ba7f5929920ceb0367e86
SHA256690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1
SHA51209e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
23KB
MD57ddf4766f38f2afff31e9ba389e16356
SHA1ebbf590eee2c682ca37ba7f5929920ceb0367e86
SHA256690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1
SHA51209e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsFilesize
4B
MD5b326b5062b2f0e69046810717534cb09
SHA15ffe533b830f08a0326348a9160afafc8ada44db
SHA256b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b
SHA5129120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
23KB
MD57ddf4766f38f2afff31e9ba389e16356
SHA1ebbf590eee2c682ca37ba7f5929920ceb0367e86
SHA256690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1
SHA51209e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
23KB
MD57ddf4766f38f2afff31e9ba389e16356
SHA1ebbf590eee2c682ca37ba7f5929920ceb0367e86
SHA256690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1
SHA51209e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
23KB
MD57ddf4766f38f2afff31e9ba389e16356
SHA1ebbf590eee2c682ca37ba7f5929920ceb0367e86
SHA256690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1
SHA51209e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
23KB
MD57ddf4766f38f2afff31e9ba389e16356
SHA1ebbf590eee2c682ca37ba7f5929920ceb0367e86
SHA256690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1
SHA51209e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
memory/740-71-0x0000000000000000-mapping.dmp
-
memory/740-76-0x0000000072FF0000-0x000000007359B000-memory.dmpFilesize
5.7MB
-
memory/804-56-0x0000000000000000-mapping.dmp
-
memory/1048-77-0x0000000000000000-mapping.dmp
-
memory/1764-54-0x0000000074C91000-0x0000000074C93000-memory.dmpFilesize
8KB