Analysis
-
max time kernel
186s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe
Resource
win10v2004-20220414-en
General
-
Target
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe
-
Size
32KB
-
MD5
329fb77ef9c38388c146e32148cb29df
-
SHA1
0a6b14098dd89f97a27208b37cfb43197b8bc0a8
-
SHA256
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
-
SHA512
3f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
Malware Config
Extracted
njrat
Hacked By HiDDen PerSOn
64d9c8cb143e6b529eeac073e6e1e511
-
reg_key
64d9c8cb143e6b529eeac073e6e1e511
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 1324 System32.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64d9c8cb143e6b529eeac073e6e1e511.exe System32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64d9c8cb143e6b529eeac073e6e1e511.exe System32.exe -
Loads dropped DLL 1 IoCs
Processes:
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exepid process 912 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\64d9c8cb143e6b529eeac073e6e1e511 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\64d9c8cb143e6b529eeac073e6e1e511 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
System32.exedescription pid process Token: SeDebugPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe Token: 33 1324 System32.exe Token: SeIncBasePriorityPrivilege 1324 System32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exeSystem32.exedescription pid process target process PID 912 wrote to memory of 1324 912 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 912 wrote to memory of 1324 912 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 912 wrote to memory of 1324 912 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 912 wrote to memory of 1324 912 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 1324 wrote to memory of 844 1324 System32.exe netsh.exe PID 1324 wrote to memory of 844 1324 System32.exe netsh.exe PID 1324 wrote to memory of 844 1324 System32.exe netsh.exe PID 1324 wrote to memory of 844 1324 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe"C:\Users\Admin\AppData\Local\Temp\a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32.exe"C:\Users\Admin\AppData\Roaming\System32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System32.exe" "System32.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System32.exeFilesize
32KB
MD5329fb77ef9c38388c146e32148cb29df
SHA10a6b14098dd89f97a27208b37cfb43197b8bc0a8
SHA256a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
SHA5123f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
-
C:\Users\Admin\AppData\Roaming\System32.exeFilesize
32KB
MD5329fb77ef9c38388c146e32148cb29df
SHA10a6b14098dd89f97a27208b37cfb43197b8bc0a8
SHA256a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
SHA5123f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
-
\Users\Admin\AppData\Roaming\System32.exeFilesize
32KB
MD5329fb77ef9c38388c146e32148cb29df
SHA10a6b14098dd89f97a27208b37cfb43197b8bc0a8
SHA256a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
SHA5123f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
-
memory/844-62-0x0000000000000000-mapping.dmp
-
memory/912-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/912-55-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1324-57-0x0000000000000000-mapping.dmp
-
memory/1324-61-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB