Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:47
Static task
static1
Behavioral task
behavioral1
Sample
9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe
Resource
win10v2004-20220414-en
General
-
Target
9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe
-
Size
5.3MB
-
MD5
aae3c28cbe57932f7916d0a9d7db6baa
-
SHA1
55e6340e67dec2470dd61a7fb235636ed813623c
-
SHA256
9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60
-
SHA512
4cde79d3b953fe5e768c1d7b9acd90242e01add92c654ac8a63b9fa6e199169b715786c4a917fe3624ae0b10340918d9b83a1f7f69a75b79cf62e85bd9df72dc
Malware Config
Extracted
njrat
0.7d
Windows
195.123.210.61:3003
ede277fb5affe7dc0052cadbd3bda25a
-
reg_key
ede277fb5affe7dc0052cadbd3bda25a
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Client.exed.exeWindowsService.exepid process 1096 Client.exe 1512 d.exe 1528 WindowsService.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsService.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ede277fb5affe7dc0052cadbd3bda25a.exe WindowsService.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ede277fb5affe7dc0052cadbd3bda25a.exe WindowsService.exe -
Loads dropped DLL 3 IoCs
Processes:
9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exeClient.exepid process 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe 1096 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsService.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ede277fb5affe7dc0052cadbd3bda25a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsService.exe\" .." WindowsService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ede277fb5affe7dc0052cadbd3bda25a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsService.exe\" .." WindowsService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepid process 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe 1096 Client.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Client.exeWindowsService.exedescription pid process Token: SeDebugPrivilege 1096 Client.exe Token: SeDebugPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe Token: 33 1528 WindowsService.exe Token: SeIncBasePriorityPrivilege 1528 WindowsService.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d.exepid process 1512 d.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
d.exepid process 1512 d.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exeClient.exeWindowsService.exedescription pid process target process PID 2028 wrote to memory of 1096 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe Client.exe PID 2028 wrote to memory of 1096 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe Client.exe PID 2028 wrote to memory of 1096 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe Client.exe PID 2028 wrote to memory of 1096 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe Client.exe PID 2028 wrote to memory of 1512 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe d.exe PID 2028 wrote to memory of 1512 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe d.exe PID 2028 wrote to memory of 1512 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe d.exe PID 2028 wrote to memory of 1512 2028 9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe d.exe PID 1096 wrote to memory of 1528 1096 Client.exe WindowsService.exe PID 1096 wrote to memory of 1528 1096 Client.exe WindowsService.exe PID 1096 wrote to memory of 1528 1096 Client.exe WindowsService.exe PID 1096 wrote to memory of 1528 1096 Client.exe WindowsService.exe PID 1528 wrote to memory of 1548 1528 WindowsService.exe netsh.exe PID 1528 wrote to memory of 1548 1528 WindowsService.exe netsh.exe PID 1528 wrote to memory of 1548 1528 WindowsService.exe netsh.exe PID 1528 wrote to memory of 1548 1528 WindowsService.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe"C:\Users\Admin\AppData\Local\Temp\9a4ec6b06682a36705365f027947859f0ae5b5883bc31dc0460f224f2501fb60.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\WindowsService.exe"C:\Users\Admin\AppData\Local\Temp\WindowsService.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsService.exe" "WindowsService.exe" ENABLE4⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD57eb85491f79a9bf8fcb175ad7fba546a
SHA159b81367a87b2ece4473e3acb974e440d82f12c1
SHA256fb289eb564e9ade777a3a92fbcdb01d89518741336d843746bff246e16f06f73
SHA512377dbef52d80f6a29a5d2eff9cfd1ca99f7ae3d1f81bea327dcbaac552d0b8bfd4159bc3e2b19d3c034ae6ec737711db700e0cd547286c3be2bb629242fa2486
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD57eb85491f79a9bf8fcb175ad7fba546a
SHA159b81367a87b2ece4473e3acb974e440d82f12c1
SHA256fb289eb564e9ade777a3a92fbcdb01d89518741336d843746bff246e16f06f73
SHA512377dbef52d80f6a29a5d2eff9cfd1ca99f7ae3d1f81bea327dcbaac552d0b8bfd4159bc3e2b19d3c034ae6ec737711db700e0cd547286c3be2bb629242fa2486
-
C:\Users\Admin\AppData\Local\Temp\WindowsService.exeFilesize
31KB
MD57eb85491f79a9bf8fcb175ad7fba546a
SHA159b81367a87b2ece4473e3acb974e440d82f12c1
SHA256fb289eb564e9ade777a3a92fbcdb01d89518741336d843746bff246e16f06f73
SHA512377dbef52d80f6a29a5d2eff9cfd1ca99f7ae3d1f81bea327dcbaac552d0b8bfd4159bc3e2b19d3c034ae6ec737711db700e0cd547286c3be2bb629242fa2486
-
C:\Users\Admin\AppData\Local\Temp\WindowsService.exeFilesize
31KB
MD57eb85491f79a9bf8fcb175ad7fba546a
SHA159b81367a87b2ece4473e3acb974e440d82f12c1
SHA256fb289eb564e9ade777a3a92fbcdb01d89518741336d843746bff246e16f06f73
SHA512377dbef52d80f6a29a5d2eff9cfd1ca99f7ae3d1f81bea327dcbaac552d0b8bfd4159bc3e2b19d3c034ae6ec737711db700e0cd547286c3be2bb629242fa2486
-
C:\Users\Admin\AppData\Local\Temp\d.exeFilesize
8.5MB
MD570ea9c044c9a766330d3fe77418244a5
SHA118602d0db52917b88cbdab84ba89181e6fd4686a
SHA256b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5
SHA5125261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917
-
C:\Users\Admin\AppData\Local\Temp\d.exeFilesize
8.5MB
MD570ea9c044c9a766330d3fe77418244a5
SHA118602d0db52917b88cbdab84ba89181e6fd4686a
SHA256b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5
SHA5125261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917
-
\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD57eb85491f79a9bf8fcb175ad7fba546a
SHA159b81367a87b2ece4473e3acb974e440d82f12c1
SHA256fb289eb564e9ade777a3a92fbcdb01d89518741336d843746bff246e16f06f73
SHA512377dbef52d80f6a29a5d2eff9cfd1ca99f7ae3d1f81bea327dcbaac552d0b8bfd4159bc3e2b19d3c034ae6ec737711db700e0cd547286c3be2bb629242fa2486
-
\Users\Admin\AppData\Local\Temp\WindowsService.exeFilesize
31KB
MD57eb85491f79a9bf8fcb175ad7fba546a
SHA159b81367a87b2ece4473e3acb974e440d82f12c1
SHA256fb289eb564e9ade777a3a92fbcdb01d89518741336d843746bff246e16f06f73
SHA512377dbef52d80f6a29a5d2eff9cfd1ca99f7ae3d1f81bea327dcbaac552d0b8bfd4159bc3e2b19d3c034ae6ec737711db700e0cd547286c3be2bb629242fa2486
-
\Users\Admin\AppData\Local\Temp\d.exeFilesize
8.5MB
MD570ea9c044c9a766330d3fe77418244a5
SHA118602d0db52917b88cbdab84ba89181e6fd4686a
SHA256b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5
SHA5125261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917
-
memory/1096-65-0x0000000074820000-0x0000000074DCB000-memory.dmpFilesize
5.7MB
-
memory/1096-56-0x0000000000000000-mapping.dmp
-
memory/1512-61-0x0000000000000000-mapping.dmp
-
memory/1512-66-0x0000000074820000-0x0000000074DCB000-memory.dmpFilesize
5.7MB
-
memory/1512-67-0x0000000000346000-0x0000000000357000-memory.dmpFilesize
68KB
-
memory/1528-69-0x0000000000000000-mapping.dmp
-
memory/1528-73-0x0000000074820000-0x0000000074DCB000-memory.dmpFilesize
5.7MB
-
memory/1548-74-0x0000000000000000-mapping.dmp
-
memory/2028-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB