Analysis
-
max time kernel
151s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 06:08
Behavioral task
behavioral1
Sample
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe
Resource
win10v2004-20220414-en
General
-
Target
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe
-
Size
23KB
-
MD5
be031938826435311f1932068d552001
-
SHA1
b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
-
SHA256
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
-
SHA512
bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
Malware Config
Extracted
njrat
0.7d
HacKed
must123123.ddns.net:5571
2fd4177f9bfdf03e6833100ad58e5a3b
-
reg_key
2fd4177f9bfdf03e6833100ad58e5a3b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1324 system.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exepid process 1656 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2fd4177f9bfdf03e6833100ad58e5a3b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fd4177f9bfdf03e6833100ad58e5a3b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe Token: 33 1324 system.exe Token: SeIncBasePriorityPrivilege 1324 system.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exesystem.exedescription pid process target process PID 1656 wrote to memory of 1324 1656 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 1656 wrote to memory of 1324 1656 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 1656 wrote to memory of 1324 1656 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 1656 wrote to memory of 1324 1656 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 1324 wrote to memory of 952 1324 system.exe netsh.exe PID 1324 wrote to memory of 952 1324 system.exe netsh.exe PID 1324 wrote to memory of 952 1324 system.exe netsh.exe PID 1324 wrote to memory of 952 1324 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe"C:\Users\Admin\AppData\Local\Temp\201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
23KB
MD5be031938826435311f1932068d552001
SHA1b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
SHA256201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
SHA512bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
23KB
MD5be031938826435311f1932068d552001
SHA1b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
SHA256201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
SHA512bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
23KB
MD5be031938826435311f1932068d552001
SHA1b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
SHA256201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
SHA512bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
-
memory/952-62-0x0000000000000000-mapping.dmp
-
memory/1324-57-0x0000000000000000-mapping.dmp
-
memory/1324-61-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1656-54-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1656-55-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB