Analysis
-
max time kernel
151s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:56
Behavioral task
behavioral1
Sample
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe
Resource
win10v2004-20220414-en
General
-
Target
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe
-
Size
23KB
-
MD5
62613fd09b9acaba8a27dd636fbfcd86
-
SHA1
1c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
-
SHA256
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
-
SHA512
23a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
Malware Config
Extracted
njrat
0.7d
Got em
drontchanging-24954.portmap.io:24954
0f4e54c4009d96e7c18f12042dfb80d6
-
reg_key
0f4e54c4009d96e7c18f12042dfb80d6
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 1396 windows.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f4e54c4009d96e7c18f12042dfb80d6.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f4e54c4009d96e7c18f12042dfb80d6.exe windows.exe -
Loads dropped DLL 1 IoCs
Processes:
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exepid process 284 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\0f4e54c4009d96e7c18f12042dfb80d6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.exe\" .." windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0f4e54c4009d96e7c18f12042dfb80d6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.exe\" .." windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe Token: 33 1396 windows.exe Token: SeIncBasePriorityPrivilege 1396 windows.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exewindows.exedescription pid process target process PID 284 wrote to memory of 1396 284 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 284 wrote to memory of 1396 284 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 284 wrote to memory of 1396 284 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 284 wrote to memory of 1396 284 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 1396 wrote to memory of 1744 1396 windows.exe netsh.exe PID 1396 wrote to memory of 1744 1396 windows.exe netsh.exe PID 1396 wrote to memory of 1744 1396 windows.exe netsh.exe PID 1396 wrote to memory of 1744 1396 windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe"C:\Users\Admin\AppData\Local\Temp\b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\windows.exe" "windows.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
23KB
MD562613fd09b9acaba8a27dd636fbfcd86
SHA11c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
SHA256b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
SHA51223a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
23KB
MD562613fd09b9acaba8a27dd636fbfcd86
SHA11c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
SHA256b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
SHA51223a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
-
\Users\Admin\AppData\Roaming\windows.exeFilesize
23KB
MD562613fd09b9acaba8a27dd636fbfcd86
SHA11c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
SHA256b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
SHA51223a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
-
memory/284-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/284-55-0x0000000074660000-0x0000000074C0B000-memory.dmpFilesize
5.7MB
-
memory/1396-57-0x0000000000000000-mapping.dmp
-
memory/1396-61-0x0000000074660000-0x0000000074C0B000-memory.dmpFilesize
5.7MB
-
memory/1744-62-0x0000000000000000-mapping.dmp