Analysis
-
max time kernel
161s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 01:47
Static task
static1
Behavioral task
behavioral1
Sample
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
Resource
win10v2004-20220414-en
General
-
Target
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
-
Size
1.1MB
-
MD5
6d2b7843f0e9168704d4c71108cfdc50
-
SHA1
3fb8ed1bc9eb790af15c1f18486ac5461a44ed71
-
SHA256
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
-
SHA512
56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
Malware Config
Extracted
njrat
0.7d
coder
81.61.77.92:5553
890f73d3282170b26075ca7917951b6e
-
reg_key
890f73d3282170b26075ca7917951b6e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Data.exepid process 2036 Data.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Data.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe -
Loads dropped DLL 1 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exepid process 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Data.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exeData.exepid process 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe 2036 Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Data.exedescription pid process Token: SeDebugPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe Token: 33 2036 Data.exe Token: SeIncBasePriorityPrivilege 2036 Data.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exeData.exepid process 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 2036 Data.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exeData.exedescription pid process target process PID 1700 wrote to memory of 2036 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 1700 wrote to memory of 2036 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 1700 wrote to memory of 2036 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 1700 wrote to memory of 2036 1700 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 2036 wrote to memory of 896 2036 Data.exe netsh.exe PID 2036 wrote to memory of 896 2036 Data.exe netsh.exe PID 2036 wrote to memory of 896 2036 Data.exe netsh.exe PID 2036 wrote to memory of 896 2036 Data.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe"C:\Users\Admin\AppData\Local\Temp\f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Data.exe"C:\Users\Admin\AppData\Roaming\Data.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Data.exe" "Data.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
\??\c:\users\admin\appdata\roaming\data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
\Users\Admin\AppData\Roaming\Data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
memory/896-66-0x0000000000000000-mapping.dmp
-
memory/1700-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1700-55-0x00000000003D0000-0x000000000074E000-memory.dmpFilesize
3.5MB
-
memory/1700-56-0x00000000003D0000-0x000000000074E000-memory.dmpFilesize
3.5MB
-
memory/1700-57-0x0000000000390000-0x000000000039A000-memory.dmpFilesize
40KB
-
memory/1700-65-0x00000000003D0000-0x000000000074E000-memory.dmpFilesize
3.5MB
-
memory/2036-59-0x0000000000000000-mapping.dmp
-
memory/2036-63-0x00000000010C0000-0x000000000143E000-memory.dmpFilesize
3.5MB
-
memory/2036-64-0x00000000010C0000-0x000000000143E000-memory.dmpFilesize
3.5MB