Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 23:42
Behavioral task
behavioral1
Sample
0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe
Resource
win10v2004-20220414-en
General
-
Target
0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe
-
Size
29KB
-
MD5
e87322096860c5eb0c7e95d6d3ccfb75
-
SHA1
3b79b4dc1525cbcde04fac34ed2b1a30deb3a17c
-
SHA256
0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884
-
SHA512
f5f9d9e41299613ec5eb082daf0ed229d815fd192689af3e4266b388bd31f7c254dd7673e76ce78c5eb9d1d81a8677879bc7f9b061d2d87a19ff3c4bc8a83749
Malware Config
Extracted
njrat
0.6.4
HacKed
213.167.222.86:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 1588 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Trojan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe -
Loads dropped DLL 1 IoCs
Processes:
0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exepid process 2032 0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Trojan.exepid process 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe 1588 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 1588 Trojan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exeTrojan.exedescription pid process target process PID 2032 wrote to memory of 1588 2032 0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe Trojan.exe PID 2032 wrote to memory of 1588 2032 0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe Trojan.exe PID 2032 wrote to memory of 1588 2032 0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe Trojan.exe PID 2032 wrote to memory of 1588 2032 0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe Trojan.exe PID 1588 wrote to memory of 1736 1588 Trojan.exe netsh.exe PID 1588 wrote to memory of 1736 1588 Trojan.exe netsh.exe PID 1588 wrote to memory of 1736 1588 Trojan.exe netsh.exe PID 1588 wrote to memory of 1736 1588 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe"C:\Users\Admin\AppData\Local\Temp\0e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD5e87322096860c5eb0c7e95d6d3ccfb75
SHA13b79b4dc1525cbcde04fac34ed2b1a30deb3a17c
SHA2560e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884
SHA512f5f9d9e41299613ec5eb082daf0ed229d815fd192689af3e4266b388bd31f7c254dd7673e76ce78c5eb9d1d81a8677879bc7f9b061d2d87a19ff3c4bc8a83749
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD5e87322096860c5eb0c7e95d6d3ccfb75
SHA13b79b4dc1525cbcde04fac34ed2b1a30deb3a17c
SHA2560e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884
SHA512f5f9d9e41299613ec5eb082daf0ed229d815fd192689af3e4266b388bd31f7c254dd7673e76ce78c5eb9d1d81a8677879bc7f9b061d2d87a19ff3c4bc8a83749
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD5e87322096860c5eb0c7e95d6d3ccfb75
SHA13b79b4dc1525cbcde04fac34ed2b1a30deb3a17c
SHA2560e43f6a99b7bf1629bfe2ca3dd803a234103f0d154a8c46a9fe939b74b1a8884
SHA512f5f9d9e41299613ec5eb082daf0ed229d815fd192689af3e4266b388bd31f7c254dd7673e76ce78c5eb9d1d81a8677879bc7f9b061d2d87a19ff3c4bc8a83749
-
memory/1588-57-0x0000000000000000-mapping.dmp
-
memory/1588-64-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/1588-65-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/1736-62-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/2032-55-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/2032-61-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB