Analysis
-
max time kernel
165s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 18:25
Behavioral task
behavioral1
Sample
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe
Resource
win10v2004-20220414-en
General
-
Target
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe
-
Size
23KB
-
MD5
4ea1665eb888da8c049a453acc38b547
-
SHA1
211a4143dc0b7daa35c325b8c7d75a4bb21eca58
-
SHA256
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
-
SHA512
59a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
Malware Config
Extracted
njrat
0.7d
YOUTUBE
fnhost1.ddns.net:1177
1bd172ac77b29bf1fd15d0de8a995ae1
-
reg_key
1bd172ac77b29bf1fd15d0de8a995ae1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 960 chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bd172ac77b29bf1fd15d0de8a995ae1.exe chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bd172ac77b29bf1fd15d0de8a995ae1.exe chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exepid process 1008 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1bd172ac77b29bf1fd15d0de8a995ae1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1bd172ac77b29bf1fd15d0de8a995ae1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe Token: 33 960 chrome.exe Token: SeIncBasePriorityPrivilege 960 chrome.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exechrome.exedescription pid process target process PID 1008 wrote to memory of 960 1008 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 1008 wrote to memory of 960 1008 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 1008 wrote to memory of 960 1008 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 1008 wrote to memory of 960 1008 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 960 wrote to memory of 1728 960 chrome.exe netsh.exe PID 960 wrote to memory of 1728 960 chrome.exe netsh.exe PID 960 wrote to memory of 1728 960 chrome.exe netsh.exe PID 960 wrote to memory of 1728 960 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe"C:\Users\Admin\AppData\Local\Temp\431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
23KB
MD54ea1665eb888da8c049a453acc38b547
SHA1211a4143dc0b7daa35c325b8c7d75a4bb21eca58
SHA256431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
SHA51259a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
23KB
MD54ea1665eb888da8c049a453acc38b547
SHA1211a4143dc0b7daa35c325b8c7d75a4bb21eca58
SHA256431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
SHA51259a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
-
\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
23KB
MD54ea1665eb888da8c049a453acc38b547
SHA1211a4143dc0b7daa35c325b8c7d75a4bb21eca58
SHA256431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
SHA51259a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
-
memory/960-57-0x0000000000000000-mapping.dmp
-
memory/960-61-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/1008-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1008-55-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/1728-62-0x0000000000000000-mapping.dmp