Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:27
Static task
static1
Behavioral task
behavioral1
Sample
4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe
Resource
win10v2004-20220414-en
General
-
Target
4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe
-
Size
37KB
-
MD5
b98d25a30a0472eea9a8ead6009a853c
-
SHA1
e91b5cfbe442299bf72924422e856424087e9a7e
-
SHA256
4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849
-
SHA512
4c6ddeddc304ebff72846d115c63f9fe8889f11b44ec5623da22628b5ba258b5b716a02c6722ca483dd466f09db5eea2201af2af8837bc886b9b89c4d4c90314
Malware Config
Extracted
njrat
im523
shareman.exe
ayezhiznboram.ddns.net:6344
4bdbd1da64cfae6714664f169be7c0ed
-
reg_key
4bdbd1da64cfae6714664f169be7c0ed
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hedumay.exepid process 2024 Hedumay.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Hedumay.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bdbd1da64cfae6714664f169be7c0ed.exe Hedumay.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bdbd1da64cfae6714664f169be7c0ed.exe Hedumay.exe -
Loads dropped DLL 1 IoCs
Processes:
4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exepid process 784 4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Hedumay.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\4bdbd1da64cfae6714664f169be7c0ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hedumay.exe\" .." Hedumay.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4bdbd1da64cfae6714664f169be7c0ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hedumay.exe\" .." Hedumay.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Hedumay.exepid process 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe 2024 Hedumay.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Hedumay.exepid process 2024 Hedumay.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Hedumay.exedescription pid process Token: SeDebugPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe Token: 33 2024 Hedumay.exe Token: SeIncBasePriorityPrivilege 2024 Hedumay.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exeHedumay.exedescription pid process target process PID 784 wrote to memory of 2024 784 4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe Hedumay.exe PID 784 wrote to memory of 2024 784 4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe Hedumay.exe PID 784 wrote to memory of 2024 784 4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe Hedumay.exe PID 784 wrote to memory of 2024 784 4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe Hedumay.exe PID 2024 wrote to memory of 1988 2024 Hedumay.exe netsh.exe PID 2024 wrote to memory of 1988 2024 Hedumay.exe netsh.exe PID 2024 wrote to memory of 1988 2024 Hedumay.exe netsh.exe PID 2024 wrote to memory of 1988 2024 Hedumay.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe"C:\Users\Admin\AppData\Local\Temp\4b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hedumay.exe"C:\Users\Admin\AppData\Local\Temp\Hedumay.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Hedumay.exe" "Hedumay.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Hedumay.exeFilesize
37KB
MD5b98d25a30a0472eea9a8ead6009a853c
SHA1e91b5cfbe442299bf72924422e856424087e9a7e
SHA2564b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849
SHA5124c6ddeddc304ebff72846d115c63f9fe8889f11b44ec5623da22628b5ba258b5b716a02c6722ca483dd466f09db5eea2201af2af8837bc886b9b89c4d4c90314
-
C:\Users\Admin\AppData\Local\Temp\Hedumay.exeFilesize
37KB
MD5b98d25a30a0472eea9a8ead6009a853c
SHA1e91b5cfbe442299bf72924422e856424087e9a7e
SHA2564b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849
SHA5124c6ddeddc304ebff72846d115c63f9fe8889f11b44ec5623da22628b5ba258b5b716a02c6722ca483dd466f09db5eea2201af2af8837bc886b9b89c4d4c90314
-
\Users\Admin\AppData\Local\Temp\Hedumay.exeFilesize
37KB
MD5b98d25a30a0472eea9a8ead6009a853c
SHA1e91b5cfbe442299bf72924422e856424087e9a7e
SHA2564b54e7e3f754a52d0ed013cd376c069bfdb9e457d134d862b4303691cab03849
SHA5124c6ddeddc304ebff72846d115c63f9fe8889f11b44ec5623da22628b5ba258b5b716a02c6722ca483dd466f09db5eea2201af2af8837bc886b9b89c4d4c90314
-
memory/784-54-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/784-55-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/1988-62-0x0000000000000000-mapping.dmp
-
memory/2024-57-0x0000000000000000-mapping.dmp
-
memory/2024-61-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB