Analysis
-
max time kernel
170s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:11
Static task
static1
Behavioral task
behavioral1
Sample
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
Resource
win7-20220414-en
General
-
Target
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
-
Size
579KB
-
MD5
4c4bde75b118d7db7df062e12a71a601
-
SHA1
57446c07b6893592a2dcea4ffa4e80bb52fdfb53
-
SHA256
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3
-
SHA512
f94d8f0dec04713a183d70860f6f90637fd0b14a14b78893df1ab99dcf70f582b1533a8569015800bebf855b09959693a332052dbe115706921f95aa12bf7bba
Malware Config
Extracted
njrat
0.7d
XmasMoney
185.244.30.248:4040
65846043dcc7fda8dafdf43614eb84ef
-
reg_key
65846043dcc7fda8dafdf43614eb84ef
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/memory/2080-132-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\65846043dcc7fda8dafdf43614eb84ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe\" .." c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\65846043dcc7fda8dafdf43614eb84ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe\" .." c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exedescription pid process target process PID 1136 set thread context of 2080 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exepid process 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exepid process 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exedescription pid process Token: SeDebugPrivilege 2080 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe Token: 33 2080 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe Token: SeIncBasePriorityPrivilege 2080 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exec3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exedescription pid process target process PID 1136 wrote to memory of 2080 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe PID 1136 wrote to memory of 2080 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe PID 1136 wrote to memory of 2080 1136 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe PID 2080 wrote to memory of 4756 2080 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe netsh.exe PID 2080 wrote to memory of 4756 2080 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe netsh.exe PID 2080 wrote to memory of 4756 2080 c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe"C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe"C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe" "c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-130-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2080-131-0x0000000000000000-mapping.dmp
-
memory/2080-132-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2080-134-0x0000000000510000-0x000000000051A000-memory.dmpFilesize
40KB
-
memory/2080-133-0x0000000000510000-0x000000000051A000-memory.dmpFilesize
40KB
-
memory/2080-135-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2080-136-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/2080-138-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/4756-137-0x0000000000000000-mapping.dmp