Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:59
Behavioral task
behavioral1
Sample
e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe
Resource
win10v2004-20220414-en
General
-
Target
e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe
-
Size
23KB
-
MD5
8f713ec1e198c1f3146670988a3143c9
-
SHA1
4a1cf100216e3a677b4e06e011adf1300213286b
-
SHA256
e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f
-
SHA512
7f451161eeb7c0c5f61d2bd82bc026811c95030a022c3fbfa884f86e00332aee2fbc82a23ca398eb57a58311a55932ab32b98460fa2b806f93699763d1e5e929
Malware Config
Extracted
njrat
0.7d
HacKed
kryptokrypto123.ddns.net:5552
c6dfbab76abb2fb1938d3e35b1bb6f3a
-
reg_key
c6dfbab76abb2fb1938d3e35b1bb6f3a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Spoofer.exepid process 1616 Spoofer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Spoofer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6dfbab76abb2fb1938d3e35b1bb6f3a.exe Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6dfbab76abb2fb1938d3e35b1bb6f3a.exe Spoofer.exe -
Loads dropped DLL 1 IoCs
Processes:
e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exepid process 1836 e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Spoofer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6dfbab76abb2fb1938d3e35b1bb6f3a = "\"C:\\Users\\Admin\\Spoofer.exe\" .." Spoofer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6dfbab76abb2fb1938d3e35b1bb6f3a = "\"C:\\Users\\Admin\\Spoofer.exe\" .." Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Spoofer.exedescription pid process Token: SeDebugPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe Token: 33 1616 Spoofer.exe Token: SeIncBasePriorityPrivilege 1616 Spoofer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exeSpoofer.exedescription pid process target process PID 1836 wrote to memory of 1616 1836 e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe Spoofer.exe PID 1836 wrote to memory of 1616 1836 e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe Spoofer.exe PID 1836 wrote to memory of 1616 1836 e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe Spoofer.exe PID 1836 wrote to memory of 1616 1836 e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe Spoofer.exe PID 1616 wrote to memory of 1996 1616 Spoofer.exe netsh.exe PID 1616 wrote to memory of 1996 1616 Spoofer.exe netsh.exe PID 1616 wrote to memory of 1996 1616 Spoofer.exe netsh.exe PID 1616 wrote to memory of 1996 1616 Spoofer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe"C:\Users\Admin\AppData\Local\Temp\e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\Spoofer.exe"C:\Users\Admin\Spoofer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Spoofer.exe" "Spoofer.exe" ENABLE3⤵PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Spoofer.exeFilesize
23KB
MD58f713ec1e198c1f3146670988a3143c9
SHA14a1cf100216e3a677b4e06e011adf1300213286b
SHA256e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f
SHA5127f451161eeb7c0c5f61d2bd82bc026811c95030a022c3fbfa884f86e00332aee2fbc82a23ca398eb57a58311a55932ab32b98460fa2b806f93699763d1e5e929
-
C:\Users\Admin\Spoofer.exeFilesize
23KB
MD58f713ec1e198c1f3146670988a3143c9
SHA14a1cf100216e3a677b4e06e011adf1300213286b
SHA256e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f
SHA5127f451161eeb7c0c5f61d2bd82bc026811c95030a022c3fbfa884f86e00332aee2fbc82a23ca398eb57a58311a55932ab32b98460fa2b806f93699763d1e5e929
-
\Users\Admin\Spoofer.exeFilesize
23KB
MD58f713ec1e198c1f3146670988a3143c9
SHA14a1cf100216e3a677b4e06e011adf1300213286b
SHA256e9863244d1be98ec45377430e8d9f056e369677bd67649d59de9c9d1a669743f
SHA5127f451161eeb7c0c5f61d2bd82bc026811c95030a022c3fbfa884f86e00332aee2fbc82a23ca398eb57a58311a55932ab32b98460fa2b806f93699763d1e5e929
-
memory/1616-57-0x0000000000000000-mapping.dmp
-
memory/1616-61-0x0000000074D40000-0x00000000752EB000-memory.dmpFilesize
5.7MB
-
memory/1836-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/1836-55-0x0000000074D40000-0x00000000752EB000-memory.dmpFilesize
5.7MB
-
memory/1996-62-0x0000000000000000-mapping.dmp