Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
07-04-2022 09:27
Behavioral task
behavioral1
Sample
086d0beffb9ac2f9e7c502496dfffacc.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
086d0beffb9ac2f9e7c502496dfffacc.exe
Resource
win10v2004-20220331-en
General
-
Target
086d0beffb9ac2f9e7c502496dfffacc.exe
-
Size
37KB
-
MD5
086d0beffb9ac2f9e7c502496dfffacc
-
SHA1
8ab427c8509c644b276db5edca504bd739eb135e
-
SHA256
266dc410718f70b5c26f84779f65f09d0d6d73cc8404285dd4e0d48a90959c5e
-
SHA512
be8ad234c1aab5619107bb27b8f6905629b435062e56189472f602d51363c16a65ca6be5bbc0282ccac6044be4e4c377eae393f1ff823d4d2bb3cbb11639c9b2
Malware Config
Extracted
njrat
im523
hack
6.tcp.ngrok.io:13420
2bafb35469254e19405da7b6b658f17c
-
reg_key
2bafb35469254e19405da7b6b658f17c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 1204 System.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2bafb35469254e19405da7b6b658f17c.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2bafb35469254e19405da7b6b658f17c.exe System.exe -
Loads dropped DLL 1 IoCs
Processes:
086d0beffb9ac2f9e7c502496dfffacc.exepid process 1220 086d0beffb9ac2f9e7c502496dfffacc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\2bafb35469254e19405da7b6b658f17c = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2bafb35469254e19405da7b6b658f17c = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
System.exepid process 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe 1204 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 1204 System.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe Token: 33 1204 System.exe Token: SeIncBasePriorityPrivilege 1204 System.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
086d0beffb9ac2f9e7c502496dfffacc.exeSystem.exedescription pid process target process PID 1220 wrote to memory of 1204 1220 086d0beffb9ac2f9e7c502496dfffacc.exe System.exe PID 1220 wrote to memory of 1204 1220 086d0beffb9ac2f9e7c502496dfffacc.exe System.exe PID 1220 wrote to memory of 1204 1220 086d0beffb9ac2f9e7c502496dfffacc.exe System.exe PID 1220 wrote to memory of 1204 1220 086d0beffb9ac2f9e7c502496dfffacc.exe System.exe PID 1204 wrote to memory of 1732 1204 System.exe netsh.exe PID 1204 wrote to memory of 1732 1204 System.exe netsh.exe PID 1204 wrote to memory of 1732 1204 System.exe netsh.exe PID 1204 wrote to memory of 1732 1204 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\086d0beffb9ac2f9e7c502496dfffacc.exe"C:\Users\Admin\AppData\Local\Temp\086d0beffb9ac2f9e7c502496dfffacc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
37KB
MD5086d0beffb9ac2f9e7c502496dfffacc
SHA18ab427c8509c644b276db5edca504bd739eb135e
SHA256266dc410718f70b5c26f84779f65f09d0d6d73cc8404285dd4e0d48a90959c5e
SHA512be8ad234c1aab5619107bb27b8f6905629b435062e56189472f602d51363c16a65ca6be5bbc0282ccac6044be4e4c377eae393f1ff823d4d2bb3cbb11639c9b2
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
37KB
MD5086d0beffb9ac2f9e7c502496dfffacc
SHA18ab427c8509c644b276db5edca504bd739eb135e
SHA256266dc410718f70b5c26f84779f65f09d0d6d73cc8404285dd4e0d48a90959c5e
SHA512be8ad234c1aab5619107bb27b8f6905629b435062e56189472f602d51363c16a65ca6be5bbc0282ccac6044be4e4c377eae393f1ff823d4d2bb3cbb11639c9b2
-
\Users\Admin\AppData\Roaming\System.exeFilesize
37KB
MD5086d0beffb9ac2f9e7c502496dfffacc
SHA18ab427c8509c644b276db5edca504bd739eb135e
SHA256266dc410718f70b5c26f84779f65f09d0d6d73cc8404285dd4e0d48a90959c5e
SHA512be8ad234c1aab5619107bb27b8f6905629b435062e56189472f602d51363c16a65ca6be5bbc0282ccac6044be4e4c377eae393f1ff823d4d2bb3cbb11639c9b2
-
memory/1204-57-0x0000000000000000-mapping.dmp
-
memory/1204-61-0x0000000074870000-0x0000000074E1B000-memory.dmpFilesize
5.7MB
-
memory/1220-54-0x0000000075901000-0x0000000075903000-memory.dmpFilesize
8KB
-
memory/1220-55-0x0000000074870000-0x0000000074E1B000-memory.dmpFilesize
5.7MB
-
memory/1732-62-0x0000000000000000-mapping.dmp