Analysis
-
max time kernel
186s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:12
Behavioral task
behavioral1
Sample
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe
Resource
win7-20220414-en
General
-
Target
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe
-
Size
31KB
-
MD5
f2599c8241785a47e4a5e54628e15ee2
-
SHA1
6126a67caf537bc201f5e8d56ca83d1d6f094e9a
-
SHA256
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
-
SHA512
e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
Malware Config
Extracted
njrat
0.7d
install
2.132.107.223:6522
bd5be1175c6ff120fdbcfd0476b2cd35
-
reg_key
bd5be1175c6ff120fdbcfd0476b2cd35
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
install.exepid process 1152 install.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
install.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd5be1175c6ff120fdbcfd0476b2cd35.exe install.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd5be1175c6ff120fdbcfd0476b2cd35.exe install.exe -
Loads dropped DLL 1 IoCs
Processes:
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exepid process 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
install.exedescription pid process Token: SeDebugPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe Token: 33 1152 install.exe Token: SeIncBasePriorityPrivilege 1152 install.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exeinstall.exedescription pid process target process PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1260 wrote to memory of 1152 1260 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 1152 wrote to memory of 1988 1152 install.exe netsh.exe PID 1152 wrote to memory of 1988 1152 install.exe netsh.exe PID 1152 wrote to memory of 1988 1152 install.exe netsh.exe PID 1152 wrote to memory of 1988 1152 install.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe"C:\Users\Admin\AppData\Local\Temp\fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install.exe"C:\Users\Admin\AppData\Roaming\install.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\install.exe" "install.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
31KB
MD5f2599c8241785a47e4a5e54628e15ee2
SHA16126a67caf537bc201f5e8d56ca83d1d6f094e9a
SHA256fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
SHA512e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
31KB
MD5f2599c8241785a47e4a5e54628e15ee2
SHA16126a67caf537bc201f5e8d56ca83d1d6f094e9a
SHA256fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
SHA512e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
-
\Users\Admin\AppData\Roaming\install.exeFilesize
31KB
MD5f2599c8241785a47e4a5e54628e15ee2
SHA16126a67caf537bc201f5e8d56ca83d1d6f094e9a
SHA256fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
SHA512e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
-
memory/1152-57-0x0000000000000000-mapping.dmp
-
memory/1152-61-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1260-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB
-
memory/1260-55-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1988-62-0x0000000000000000-mapping.dmp