Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:32
Static task
static1
Behavioral task
behavioral1
Sample
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe
Resource
win10v2004-20220414-en
General
-
Target
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe
-
Size
37KB
-
MD5
2333a7b5b03e3fa1bd77b635e0a7f0df
-
SHA1
984a1120d48af498288e8ef09f49d8989e0d1aff
-
SHA256
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
-
SHA512
504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
Malware Config
Extracted
njrat
im523
хороший_чит227
127.0.0.1:5552
345d8bf41e0048532905f37e4f8e9889
-
reg_key
345d8bf41e0048532905f37e4f8e9889
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
РґРґ.exepid process 2012 РґРґ.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
РґРґ.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\345d8bf41e0048532905f37e4f8e9889.exe РґРґ.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\345d8bf41e0048532905f37e4f8e9889.exe РґРґ.exe -
Loads dropped DLL 1 IoCs
Processes:
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exepid process 1448 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
РґРґ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\345d8bf41e0048532905f37e4f8e9889 = "\"C:\\Users\\Admin\\AppData\\Roaming\\РґРґ.exe\" .." РґРґ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\345d8bf41e0048532905f37e4f8e9889 = "\"C:\\Users\\Admin\\AppData\\Roaming\\РґРґ.exe\" .." РґРґ.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
РґРґ.exedescription pid process Token: SeDebugPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe Token: 33 2012 РґРґ.exe Token: SeIncBasePriorityPrivilege 2012 РґРґ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exeРґРґ.exedescription pid process target process PID 1448 wrote to memory of 2012 1448 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 1448 wrote to memory of 2012 1448 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 1448 wrote to memory of 2012 1448 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 1448 wrote to memory of 2012 1448 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 2012 wrote to memory of 1776 2012 РґРґ.exe netsh.exe PID 2012 wrote to memory of 1776 2012 РґРґ.exe netsh.exe PID 2012 wrote to memory of 1776 2012 РґРґ.exe netsh.exe PID 2012 wrote to memory of 1776 2012 РґРґ.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe"C:\Users\Admin\AppData\Local\Temp\c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\РґРґ.exe"C:\Users\Admin\AppData\Roaming\РґРґ.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\РґРґ.exe" "РґРґ.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\РґРґ.exeFilesize
37KB
MD52333a7b5b03e3fa1bd77b635e0a7f0df
SHA1984a1120d48af498288e8ef09f49d8989e0d1aff
SHA256c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
SHA512504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
-
C:\Users\Admin\AppData\Roaming\РґРґ.exeFilesize
37KB
MD52333a7b5b03e3fa1bd77b635e0a7f0df
SHA1984a1120d48af498288e8ef09f49d8989e0d1aff
SHA256c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
SHA512504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
-
\Users\Admin\AppData\Roaming\РґРґ.exeFilesize
37KB
MD52333a7b5b03e3fa1bd77b635e0a7f0df
SHA1984a1120d48af498288e8ef09f49d8989e0d1aff
SHA256c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
SHA512504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
-
memory/1448-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB
-
memory/1448-55-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1776-62-0x0000000000000000-mapping.dmp
-
memory/2012-57-0x0000000000000000-mapping.dmp
-
memory/2012-61-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB