Analysis
-
max time kernel
151s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:40
Behavioral task
behavioral1
Sample
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe
Resource
win10v2004-20220414-en
General
-
Target
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe
-
Size
23KB
-
MD5
11f42d8a2e06a965a4ffc575dfda012f
-
SHA1
8e372df6a2d2171403349c72d5b4eac100baac06
-
SHA256
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
-
SHA512
3b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
Malware Config
Extracted
njrat
0.7d
Roblox
sallystark.ddns.net:1177
4f4dac90c60c5d2b42eb7531f6b1885e
-
reg_key
4f4dac90c60c5d2b42eb7531f6b1885e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsLogo.exepid process 1248 WindowsLogo.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
WindowsLogo.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4dac90c60c5d2b42eb7531f6b1885e.exe WindowsLogo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4dac90c60c5d2b42eb7531f6b1885e.exe WindowsLogo.exe -
Loads dropped DLL 1 IoCs
Processes:
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exepid process 240 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsLogo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\4f4dac90c60c5d2b42eb7531f6b1885e = "\"C:\\Users\\Admin\\WindowsLogo.exe\" .." WindowsLogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4f4dac90c60c5d2b42eb7531f6b1885e = "\"C:\\Users\\Admin\\WindowsLogo.exe\" .." WindowsLogo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
WindowsLogo.exedescription pid process Token: SeDebugPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe Token: 33 1248 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 1248 WindowsLogo.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exeWindowsLogo.exedescription pid process target process PID 240 wrote to memory of 1248 240 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 240 wrote to memory of 1248 240 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 240 wrote to memory of 1248 240 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 240 wrote to memory of 1248 240 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 1248 wrote to memory of 2040 1248 WindowsLogo.exe netsh.exe PID 1248 wrote to memory of 2040 1248 WindowsLogo.exe netsh.exe PID 1248 wrote to memory of 2040 1248 WindowsLogo.exe netsh.exe PID 1248 wrote to memory of 2040 1248 WindowsLogo.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe"C:\Users\Admin\AppData\Local\Temp\793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\WindowsLogo.exe"C:\Users\Admin\WindowsLogo.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\WindowsLogo.exe" "WindowsLogo.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\WindowsLogo.exeFilesize
23KB
MD511f42d8a2e06a965a4ffc575dfda012f
SHA18e372df6a2d2171403349c72d5b4eac100baac06
SHA256793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
SHA5123b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
-
C:\Users\Admin\WindowsLogo.exeFilesize
23KB
MD511f42d8a2e06a965a4ffc575dfda012f
SHA18e372df6a2d2171403349c72d5b4eac100baac06
SHA256793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
SHA5123b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
-
\Users\Admin\WindowsLogo.exeFilesize
23KB
MD511f42d8a2e06a965a4ffc575dfda012f
SHA18e372df6a2d2171403349c72d5b4eac100baac06
SHA256793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
SHA5123b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
-
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/240-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/240-56-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/240-63-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1248-58-0x0000000000000000-mapping.dmp
-
memory/1248-62-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1248-65-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/2040-64-0x0000000000000000-mapping.dmp