Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe
Resource
win10v2004-20220414-en
General
-
Target
b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe
-
Size
32KB
-
MD5
e2e21e957f11bdeece53d32ef7a87200
-
SHA1
163e343f1145112c70b9dfb769e1edd95aeea727
-
SHA256
b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898
-
SHA512
dd3befe3490377cb89a56b7096f9c0cf77632656940b0c8153d50b28d1e030fcd624a1ecb5b99e9248ef3f086505753778997fdf7b7f15d3855279781a9154da
Malware Config
Extracted
njrat
Hacked By HiDDen PerSOn
4bdd702755ab14d7cb87b9060eac7a2c
-
reg_key
4bdd702755ab14d7cb87b9060eac7a2c
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 952 System32.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System32.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bdd702755ab14d7cb87b9060eac7a2c.exe System32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bdd702755ab14d7cb87b9060eac7a2c.exe System32.exe -
Loads dropped DLL 1 IoCs
Processes:
b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exepid process 1036 b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\4bdd702755ab14d7cb87b9060eac7a2c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4bdd702755ab14d7cb87b9060eac7a2c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
System32.exedescription pid process Token: SeDebugPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe Token: 33 952 System32.exe Token: SeIncBasePriorityPrivilege 952 System32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exeSystem32.exedescription pid process target process PID 1036 wrote to memory of 952 1036 b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe System32.exe PID 1036 wrote to memory of 952 1036 b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe System32.exe PID 1036 wrote to memory of 952 1036 b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe System32.exe PID 1036 wrote to memory of 952 1036 b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe System32.exe PID 952 wrote to memory of 1244 952 System32.exe netsh.exe PID 952 wrote to memory of 1244 952 System32.exe netsh.exe PID 952 wrote to memory of 1244 952 System32.exe netsh.exe PID 952 wrote to memory of 1244 952 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe"C:\Users\Admin\AppData\Local\Temp\b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System32.exeFilesize
32KB
MD5e2e21e957f11bdeece53d32ef7a87200
SHA1163e343f1145112c70b9dfb769e1edd95aeea727
SHA256b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898
SHA512dd3befe3490377cb89a56b7096f9c0cf77632656940b0c8153d50b28d1e030fcd624a1ecb5b99e9248ef3f086505753778997fdf7b7f15d3855279781a9154da
-
C:\Users\Admin\AppData\Local\Temp\System32.exeFilesize
32KB
MD5e2e21e957f11bdeece53d32ef7a87200
SHA1163e343f1145112c70b9dfb769e1edd95aeea727
SHA256b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898
SHA512dd3befe3490377cb89a56b7096f9c0cf77632656940b0c8153d50b28d1e030fcd624a1ecb5b99e9248ef3f086505753778997fdf7b7f15d3855279781a9154da
-
\Users\Admin\AppData\Local\Temp\System32.exeFilesize
32KB
MD5e2e21e957f11bdeece53d32ef7a87200
SHA1163e343f1145112c70b9dfb769e1edd95aeea727
SHA256b39589d6427aa2666b54f1b09cfeae25fd62c135293688cc91e854ac3097a898
SHA512dd3befe3490377cb89a56b7096f9c0cf77632656940b0c8153d50b28d1e030fcd624a1ecb5b99e9248ef3f086505753778997fdf7b7f15d3855279781a9154da
-
memory/952-57-0x0000000000000000-mapping.dmp
-
memory/952-61-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1036-54-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/1036-55-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1244-62-0x0000000000000000-mapping.dmp