Analysis
-
max time kernel
172s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 06:00
Behavioral task
behavioral1
Sample
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe
Resource
win10v2004-20220414-en
General
-
Target
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe
-
Size
93KB
-
MD5
e005b555ea05cef46b13fe5de4892ab9
-
SHA1
547a4b55fd055d5eaa69090da90f8d9bf58cd51c
-
SHA256
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
-
SHA512
2731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
Malware Config
Extracted
njrat
im523
jpeg
178.44.199.23:7777
f7637d68ce1b9405a0673e2492622992
-
reg_key
f7637d68ce1b9405a0673e2492622992
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jpeg.exepid process 1064 jpeg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
jpeg.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7637d68ce1b9405a0673e2492622992.exe jpeg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7637d68ce1b9405a0673e2492622992.exe jpeg.exe -
Loads dropped DLL 1 IoCs
Processes:
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exepid process 1652 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
jpeg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\f7637d68ce1b9405a0673e2492622992 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jpeg.exe\" .." jpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f7637d68ce1b9405a0673e2492622992 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jpeg.exe\" .." jpeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jpeg.exepid process 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe 1064 jpeg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
jpeg.exepid process 1064 jpeg.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
jpeg.exedescription pid process Token: SeDebugPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe Token: 33 1064 jpeg.exe Token: SeIncBasePriorityPrivilege 1064 jpeg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exejpeg.exedescription pid process target process PID 1652 wrote to memory of 1064 1652 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 1652 wrote to memory of 1064 1652 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 1652 wrote to memory of 1064 1652 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 1652 wrote to memory of 1064 1652 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 1064 wrote to memory of 2032 1064 jpeg.exe netsh.exe PID 1064 wrote to memory of 2032 1064 jpeg.exe netsh.exe PID 1064 wrote to memory of 2032 1064 jpeg.exe netsh.exe PID 1064 wrote to memory of 2032 1064 jpeg.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe"C:\Users\Admin\AppData\Local\Temp\8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jpeg.exe"C:\Users\Admin\AppData\Local\Temp\jpeg.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\jpeg.exe" "jpeg.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jpeg.exeFilesize
93KB
MD5e005b555ea05cef46b13fe5de4892ab9
SHA1547a4b55fd055d5eaa69090da90f8d9bf58cd51c
SHA2568d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
SHA5122731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
-
C:\Users\Admin\AppData\Local\Temp\jpeg.exeFilesize
93KB
MD5e005b555ea05cef46b13fe5de4892ab9
SHA1547a4b55fd055d5eaa69090da90f8d9bf58cd51c
SHA2568d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
SHA5122731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
-
\Users\Admin\AppData\Local\Temp\jpeg.exeFilesize
93KB
MD5e005b555ea05cef46b13fe5de4892ab9
SHA1547a4b55fd055d5eaa69090da90f8d9bf58cd51c
SHA2568d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
SHA5122731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
-
memory/1064-57-0x0000000000000000-mapping.dmp
-
memory/1064-62-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1064-65-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1652-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1652-55-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1652-61-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/2032-63-0x0000000000000000-mapping.dmp