Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:54
Behavioral task
behavioral1
Sample
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe
Resource
win7-20220414-en
General
-
Target
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe
-
Size
37KB
-
MD5
a85447229532856b5447ddcadf0d99b9
-
SHA1
c24b5c23db289cdddbcde67111b1264928a1be2c
-
SHA256
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
-
SHA512
824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
Malware Config
Extracted
njrat
im523
HacKed
svalkabomja333.hopto.org:1978
ebdf784e4c631a8b558a06107e351925
-
reg_key
ebdf784e4c631a8b558a06107e351925
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 984 java.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exepid process 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
java.exedescription pid process Token: SeDebugPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe Token: 33 984 java.exe Token: SeIncBasePriorityPrivilege 984 java.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exejava.exedescription pid process target process PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 1012 wrote to memory of 984 1012 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 984 wrote to memory of 2040 984 java.exe netsh.exe PID 984 wrote to memory of 2040 984 java.exe netsh.exe PID 984 wrote to memory of 2040 984 java.exe netsh.exe PID 984 wrote to memory of 2040 984 java.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe"C:\Users\Admin\AppData\Local\Temp\2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\java.exe" "java.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\java.exeFilesize
37KB
MD5a85447229532856b5447ddcadf0d99b9
SHA1c24b5c23db289cdddbcde67111b1264928a1be2c
SHA2562c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
SHA512824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
-
C:\Users\Admin\AppData\Local\Temp\java.exeFilesize
37KB
MD5a85447229532856b5447ddcadf0d99b9
SHA1c24b5c23db289cdddbcde67111b1264928a1be2c
SHA2562c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
SHA512824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
-
\Users\Admin\AppData\Local\Temp\java.exeFilesize
37KB
MD5a85447229532856b5447ddcadf0d99b9
SHA1c24b5c23db289cdddbcde67111b1264928a1be2c
SHA2562c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
SHA512824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
-
memory/984-57-0x0000000000000000-mapping.dmp
-
memory/984-61-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1012-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1012-55-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/2040-62-0x0000000000000000-mapping.dmp