Analysis
-
max time kernel
150s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:07
Behavioral task
behavioral1
Sample
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe
Resource
win10v2004-20220414-en
General
-
Target
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe
-
Size
31KB
-
MD5
18fd235145f8ab58e1459ca717da16f8
-
SHA1
feccaf6747cbcb7d4adcec37886f107ed4135597
-
SHA256
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
-
SHA512
0df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
Malware Config
Extracted
njrat
0.7d
Faust
192.168.88.12:7777
77beb3e67b10486d166a5b0f147439dc
-
reg_key
77beb3e67b10486d166a5b0f147439dc
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AF.exepid process 1732 AF.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
AF.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\77beb3e67b10486d166a5b0f147439dc.exe AF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\77beb3e67b10486d166a5b0f147439dc.exe AF.exe -
Loads dropped DLL 1 IoCs
Processes:
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exepid process 1304 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\77beb3e67b10486d166a5b0f147439dc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AF.exe\" .." AF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\77beb3e67b10486d166a5b0f147439dc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AF.exe\" .." AF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
AF.exedescription pid process Token: SeDebugPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe Token: 33 1732 AF.exe Token: SeIncBasePriorityPrivilege 1732 AF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exeAF.exedescription pid process target process PID 1304 wrote to memory of 1732 1304 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 1304 wrote to memory of 1732 1304 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 1304 wrote to memory of 1732 1304 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 1304 wrote to memory of 1732 1304 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 1732 wrote to memory of 1688 1732 AF.exe netsh.exe PID 1732 wrote to memory of 1688 1732 AF.exe netsh.exe PID 1732 wrote to memory of 1688 1732 AF.exe netsh.exe PID 1732 wrote to memory of 1688 1732 AF.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe"C:\Users\Admin\AppData\Local\Temp\be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AF.exe"C:\Users\Admin\AppData\Local\Temp\AF.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AF.exe" "AF.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AF.exeFilesize
31KB
MD518fd235145f8ab58e1459ca717da16f8
SHA1feccaf6747cbcb7d4adcec37886f107ed4135597
SHA256be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
SHA5120df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
-
C:\Users\Admin\AppData\Local\Temp\AF.exeFilesize
31KB
MD518fd235145f8ab58e1459ca717da16f8
SHA1feccaf6747cbcb7d4adcec37886f107ed4135597
SHA256be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
SHA5120df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
-
\Users\Admin\AppData\Local\Temp\AF.exeFilesize
31KB
MD518fd235145f8ab58e1459ca717da16f8
SHA1feccaf6747cbcb7d4adcec37886f107ed4135597
SHA256be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
SHA5120df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
-
memory/1304-54-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1304-55-0x0000000074AE0000-0x000000007508B000-memory.dmpFilesize
5.7MB
-
memory/1688-62-0x0000000000000000-mapping.dmp
-
memory/1732-57-0x0000000000000000-mapping.dmp
-
memory/1732-61-0x0000000074AE0000-0x000000007508B000-memory.dmpFilesize
5.7MB