Analysis
-
max time kernel
151s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 06:19
Behavioral task
behavioral1
Sample
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe
Resource
win10v2004-20220414-en
General
-
Target
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe
-
Size
23KB
-
MD5
e3d0d1c17ebe317669282b73a51235b0
-
SHA1
e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
-
SHA256
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
-
SHA512
4bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
Malware Config
Extracted
njrat
0.7d
HacKed
kryptokrypto123.ddns.net:5552
c6dfbab76abb2fb1938d3e35b1bb6f3a
-
reg_key
c6dfbab76abb2fb1938d3e35b1bb6f3a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Spoofer.exepid process 1064 Spoofer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Spoofer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6dfbab76abb2fb1938d3e35b1bb6f3a.exe Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6dfbab76abb2fb1938d3e35b1bb6f3a.exe Spoofer.exe -
Loads dropped DLL 1 IoCs
Processes:
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exepid process 760 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Spoofer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6dfbab76abb2fb1938d3e35b1bb6f3a = "\"C:\\Users\\Admin\\Spoofer.exe\" .." Spoofer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6dfbab76abb2fb1938d3e35b1bb6f3a = "\"C:\\Users\\Admin\\Spoofer.exe\" .." Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Spoofer.exedescription pid process Token: SeDebugPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe Token: 33 1064 Spoofer.exe Token: SeIncBasePriorityPrivilege 1064 Spoofer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exeSpoofer.exedescription pid process target process PID 760 wrote to memory of 1064 760 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 760 wrote to memory of 1064 760 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 760 wrote to memory of 1064 760 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 760 wrote to memory of 1064 760 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 1064 wrote to memory of 2032 1064 Spoofer.exe netsh.exe PID 1064 wrote to memory of 2032 1064 Spoofer.exe netsh.exe PID 1064 wrote to memory of 2032 1064 Spoofer.exe netsh.exe PID 1064 wrote to memory of 2032 1064 Spoofer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe"C:\Users\Admin\AppData\Local\Temp\c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Spoofer.exe"C:\Users\Admin\Spoofer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Spoofer.exe" "Spoofer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Spoofer.exeFilesize
23KB
MD5e3d0d1c17ebe317669282b73a51235b0
SHA1e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
SHA256c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
SHA5124bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
-
C:\Users\Admin\Spoofer.exeFilesize
23KB
MD5e3d0d1c17ebe317669282b73a51235b0
SHA1e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
SHA256c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
SHA5124bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
-
\Users\Admin\Spoofer.exeFilesize
23KB
MD5e3d0d1c17ebe317669282b73a51235b0
SHA1e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
SHA256c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
SHA5124bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
-
memory/760-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/760-55-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1064-57-0x0000000000000000-mapping.dmp
-
memory/1064-61-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/2032-62-0x0000000000000000-mapping.dmp