Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:20
Behavioral task
behavioral1
Sample
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe
Resource
win7-20220414-en
General
-
Target
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe
-
Size
31KB
-
MD5
4c3fe802909235ddb4202eda5ead4d1e
-
SHA1
1e6f88ead6df2d9f1c99e037f2a6141bcf65aa59
-
SHA256
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d
-
SHA512
845c1fb3bea189e927df5b3e04eb87744eec04cabbc07d86a5760749613876858aab7a1a3bdf58973dbbc0a0f7851644c399b6771125e0ca7d5be7c1250f966d
Malware Config
Extracted
njrat
0.7d
q
192.168.1.3:7777
ad0e8fb502ecf928942daab540ba981e
-
reg_key
ad0e8fb502ecf928942daab540ba981e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jawa.exepid process 1056 jawa.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exepid process 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exepid process 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exejawa.exedescription pid process Token: SeDebugPrivilege 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe Token: SeDebugPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe Token: 33 1056 jawa.exe Token: SeIncBasePriorityPrivilege 1056 jawa.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exejawa.exedescription pid process target process PID 892 wrote to memory of 1056 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe jawa.exe PID 892 wrote to memory of 1056 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe jawa.exe PID 892 wrote to memory of 1056 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe jawa.exe PID 892 wrote to memory of 1056 892 3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe jawa.exe PID 1056 wrote to memory of 944 1056 jawa.exe netsh.exe PID 1056 wrote to memory of 944 1056 jawa.exe netsh.exe PID 1056 wrote to memory of 944 1056 jawa.exe netsh.exe PID 1056 wrote to memory of 944 1056 jawa.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe"C:\Users\Admin\AppData\Local\Temp\3e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jawa.exe"C:\Users\Admin\AppData\Roaming\jawa.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\jawa.exe" "jawa.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jawa.exeFilesize
31KB
MD54c3fe802909235ddb4202eda5ead4d1e
SHA11e6f88ead6df2d9f1c99e037f2a6141bcf65aa59
SHA2563e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d
SHA512845c1fb3bea189e927df5b3e04eb87744eec04cabbc07d86a5760749613876858aab7a1a3bdf58973dbbc0a0f7851644c399b6771125e0ca7d5be7c1250f966d
-
C:\Users\Admin\AppData\Roaming\jawa.exeFilesize
31KB
MD54c3fe802909235ddb4202eda5ead4d1e
SHA11e6f88ead6df2d9f1c99e037f2a6141bcf65aa59
SHA2563e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d
SHA512845c1fb3bea189e927df5b3e04eb87744eec04cabbc07d86a5760749613876858aab7a1a3bdf58973dbbc0a0f7851644c399b6771125e0ca7d5be7c1250f966d
-
\Users\Admin\AppData\Roaming\jawa.exeFilesize
31KB
MD54c3fe802909235ddb4202eda5ead4d1e
SHA11e6f88ead6df2d9f1c99e037f2a6141bcf65aa59
SHA2563e49ee97714da6fdde1963624b2fdfa24a368c68a151630276b272163ce43f9d
SHA512845c1fb3bea189e927df5b3e04eb87744eec04cabbc07d86a5760749613876858aab7a1a3bdf58973dbbc0a0f7851644c399b6771125e0ca7d5be7c1250f966d
-
memory/892-54-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/892-55-0x0000000074BD0000-0x000000007517B000-memory.dmpFilesize
5.7MB
-
memory/944-62-0x0000000000000000-mapping.dmp
-
memory/1056-57-0x0000000000000000-mapping.dmp
-
memory/1056-61-0x0000000074BD0000-0x000000007517B000-memory.dmpFilesize
5.7MB