Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
07-04-2022 16:51
Behavioral task
behavioral1
Sample
1c51743f17f9c5857d6ef3e2055d7e5c.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
1c51743f17f9c5857d6ef3e2055d7e5c.exe
Resource
win10v2004-20220331-en
General
-
Target
1c51743f17f9c5857d6ef3e2055d7e5c.exe
-
Size
37KB
-
MD5
1c51743f17f9c5857d6ef3e2055d7e5c
-
SHA1
a7ff86648725f2113316fe43c3e090ecdddde833
-
SHA256
e38f21ebea32604e4eb53752699175be72bff67e891a9bc5ba06538225554398
-
SHA512
839246085d1e9ce3be6bf618e00812c223a0e7ad5d71d1debe7ce0a5e8653dfd66d0860f79382ec71edf97093e6e23a8e54313aad01ea6ed76b8a3fbacb33f22
Malware Config
Extracted
njrat
im523
hack
6.tcp.ngrok.io:13420
2bafb35469254e19405da7b6b658f17c
-
reg_key
2bafb35469254e19405da7b6b658f17c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 1748 System.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2bafb35469254e19405da7b6b658f17c.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2bafb35469254e19405da7b6b658f17c.exe System.exe -
Loads dropped DLL 1 IoCs
Processes:
1c51743f17f9c5857d6ef3e2055d7e5c.exepid process 336 1c51743f17f9c5857d6ef3e2055d7e5c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\2bafb35469254e19405da7b6b658f17c = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2bafb35469254e19405da7b6b658f17c = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
System.exepid process 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe 1748 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 1748 System.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe Token: 33 1748 System.exe Token: SeIncBasePriorityPrivilege 1748 System.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1c51743f17f9c5857d6ef3e2055d7e5c.exeSystem.exedescription pid process target process PID 336 wrote to memory of 1748 336 1c51743f17f9c5857d6ef3e2055d7e5c.exe System.exe PID 336 wrote to memory of 1748 336 1c51743f17f9c5857d6ef3e2055d7e5c.exe System.exe PID 336 wrote to memory of 1748 336 1c51743f17f9c5857d6ef3e2055d7e5c.exe System.exe PID 336 wrote to memory of 1748 336 1c51743f17f9c5857d6ef3e2055d7e5c.exe System.exe PID 1748 wrote to memory of 1768 1748 System.exe netsh.exe PID 1748 wrote to memory of 1768 1748 System.exe netsh.exe PID 1748 wrote to memory of 1768 1748 System.exe netsh.exe PID 1748 wrote to memory of 1768 1748 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c51743f17f9c5857d6ef3e2055d7e5c.exe"C:\Users\Admin\AppData\Local\Temp\1c51743f17f9c5857d6ef3e2055d7e5c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
37KB
MD51c51743f17f9c5857d6ef3e2055d7e5c
SHA1a7ff86648725f2113316fe43c3e090ecdddde833
SHA256e38f21ebea32604e4eb53752699175be72bff67e891a9bc5ba06538225554398
SHA512839246085d1e9ce3be6bf618e00812c223a0e7ad5d71d1debe7ce0a5e8653dfd66d0860f79382ec71edf97093e6e23a8e54313aad01ea6ed76b8a3fbacb33f22
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
37KB
MD51c51743f17f9c5857d6ef3e2055d7e5c
SHA1a7ff86648725f2113316fe43c3e090ecdddde833
SHA256e38f21ebea32604e4eb53752699175be72bff67e891a9bc5ba06538225554398
SHA512839246085d1e9ce3be6bf618e00812c223a0e7ad5d71d1debe7ce0a5e8653dfd66d0860f79382ec71edf97093e6e23a8e54313aad01ea6ed76b8a3fbacb33f22
-
\Users\Admin\AppData\Roaming\System.exeFilesize
37KB
MD51c51743f17f9c5857d6ef3e2055d7e5c
SHA1a7ff86648725f2113316fe43c3e090ecdddde833
SHA256e38f21ebea32604e4eb53752699175be72bff67e891a9bc5ba06538225554398
SHA512839246085d1e9ce3be6bf618e00812c223a0e7ad5d71d1debe7ce0a5e8653dfd66d0860f79382ec71edf97093e6e23a8e54313aad01ea6ed76b8a3fbacb33f22
-
memory/336-54-0x00000000755F1000-0x00000000755F3000-memory.dmpFilesize
8KB
-
memory/336-55-0x00000000749B0000-0x0000000074F5B000-memory.dmpFilesize
5.7MB
-
memory/1748-57-0x0000000000000000-mapping.dmp
-
memory/1748-61-0x00000000749B0000-0x0000000074F5B000-memory.dmpFilesize
5.7MB
-
memory/1768-62-0x0000000000000000-mapping.dmp