Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 18:48
Static task
static1
Behavioral task
behavioral1
Sample
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe
Resource
win10v2004-20220414-en
General
-
Target
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe
-
Size
69KB
-
MD5
04ee19dcd3079ca37c8f829d2b30513f
-
SHA1
185f80cc3e7aa3ca8148bc83f240d3789d7e0706
-
SHA256
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
-
SHA512
1d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
Malware Config
Extracted
njrat
0.7d
HacKed
testsevaer.kro.kr:6335
257e54d5487aae3e024df308f1deeed9
-
reg_key
257e54d5487aae3e024df308f1deeed9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
V3Lite.exepid process 952 V3Lite.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
V3Lite.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\257e54d5487aae3e024df308f1deeed9.exe V3Lite.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\257e54d5487aae3e024df308f1deeed9.exe V3Lite.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
V3Lite.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\257e54d5487aae3e024df308f1deeed9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V3Lite.exe\" .." V3Lite.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\257e54d5487aae3e024df308f1deeed9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V3Lite.exe\" .." V3Lite.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exeV3Lite.exedescription pid process Token: SeDebugPrivilege 1224 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe Token: SeDebugPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe Token: 33 952 V3Lite.exe Token: SeIncBasePriorityPrivilege 952 V3Lite.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exeV3Lite.exedescription pid process target process PID 1224 wrote to memory of 952 1224 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe V3Lite.exe PID 1224 wrote to memory of 952 1224 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe V3Lite.exe PID 1224 wrote to memory of 952 1224 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe V3Lite.exe PID 952 wrote to memory of 1680 952 V3Lite.exe netsh.exe PID 952 wrote to memory of 1680 952 V3Lite.exe netsh.exe PID 952 wrote to memory of 1680 952 V3Lite.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe"C:\Users\Admin\AppData\Local\Temp\3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\V3Lite.exe"C:\Users\Admin\AppData\Local\Temp\V3Lite.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\V3Lite.exe" "V3Lite.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\V3Lite.exeFilesize
69KB
MD504ee19dcd3079ca37c8f829d2b30513f
SHA1185f80cc3e7aa3ca8148bc83f240d3789d7e0706
SHA2563780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
SHA5121d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
-
C:\Users\Admin\AppData\Local\Temp\V3Lite.exeFilesize
69KB
MD504ee19dcd3079ca37c8f829d2b30513f
SHA1185f80cc3e7aa3ca8148bc83f240d3789d7e0706
SHA2563780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
SHA5121d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
-
memory/952-56-0x0000000000000000-mapping.dmp
-
memory/952-59-0x0000000001210000-0x0000000001220000-memory.dmpFilesize
64KB
-
memory/952-60-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1224-54-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/1224-55-0x00000000002A0000-0x00000000002AC000-memory.dmpFilesize
48KB
-
memory/1680-61-0x0000000000000000-mapping.dmp