Analysis
-
max time kernel
148s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:16
Behavioral task
behavioral1
Sample
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe
Resource
win7-20220414-en
General
-
Target
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe
-
Size
23KB
-
MD5
0ce5a45b067dc03a754bb4b6c602eb89
-
SHA1
2a62a801e458589825060bd2553291b6696baca3
-
SHA256
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
-
SHA512
fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
d5d39712f604de76fd6f37ea70887795
-
reg_key
d5d39712f604de76fd6f37ea70887795
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Checkcheats.exepid process 960 Checkcheats.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exepid process 1684 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Checkcheats.exedescription pid process Token: SeDebugPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe Token: 33 960 Checkcheats.exe Token: SeIncBasePriorityPrivilege 960 Checkcheats.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exeCheckcheats.exedescription pid process target process PID 1684 wrote to memory of 960 1684 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 1684 wrote to memory of 960 1684 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 1684 wrote to memory of 960 1684 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 1684 wrote to memory of 960 1684 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 960 wrote to memory of 1728 960 Checkcheats.exe netsh.exe PID 960 wrote to memory of 1728 960 Checkcheats.exe netsh.exe PID 960 wrote to memory of 1728 960 Checkcheats.exe netsh.exe PID 960 wrote to memory of 1728 960 Checkcheats.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe"C:\Users\Admin\AppData\Local\Temp\6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\Checkcheats.exe"C:\Users\Admin\AppData\Local\Temp\Checkcheats.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Checkcheats.exe" "Checkcheats.exe" ENABLE3⤵PID:1728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Checkcheats.exeFilesize
23KB
MD50ce5a45b067dc03a754bb4b6c602eb89
SHA12a62a801e458589825060bd2553291b6696baca3
SHA2566a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
SHA512fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
-
C:\Users\Admin\AppData\Local\Temp\Checkcheats.exeFilesize
23KB
MD50ce5a45b067dc03a754bb4b6c602eb89
SHA12a62a801e458589825060bd2553291b6696baca3
SHA2566a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
SHA512fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
-
\Users\Admin\AppData\Local\Temp\Checkcheats.exeFilesize
23KB
MD50ce5a45b067dc03a754bb4b6c602eb89
SHA12a62a801e458589825060bd2553291b6696baca3
SHA2566a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
SHA512fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
-
memory/960-57-0x0000000000000000-mapping.dmp
-
memory/960-61-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/1684-54-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/1684-55-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/1728-62-0x0000000000000000-mapping.dmp