Analysis
-
max time kernel
151s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 13:36
Static task
static1
Behavioral task
behavioral1
Sample
3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe
Resource
win10v2004-20220414-en
General
-
Target
3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe
-
Size
156KB
-
MD5
4123e4ef9f5d9399d06c2186ff3e6300
-
SHA1
7529717bcf12234b31d252f9974dc20072c07189
-
SHA256
3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4
-
SHA512
cec74f13263f278ff839b596d10abddbdc77bf5778237b90fd9f1830f3861ff38abfa7c51cf73abe99d8be441295683e93cbe1d305d8d5b113b0ebbaf5645e3c
Malware Config
Extracted
njrat
0.7d
FIKRAAA victimes
service-http.servehttp.com:5500
9563c75cec9a4d84b96ac625f5a53797
-
reg_key
9563c75cec9a4d84b96ac625f5a53797
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 1968 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9563c75cec9a4d84b96ac625f5a53797.exe chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9563c75cec9a4d84b96ac625f5a53797.exe chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\9563c75cec9a4d84b96ac625f5a53797 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9563c75cec9a4d84b96ac625f5a53797 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe Token: 33 1968 chrome.exe Token: SeIncBasePriorityPrivilege 1968 chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exechrome.exedescription pid process target process PID 1648 wrote to memory of 1968 1648 3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe chrome.exe PID 1648 wrote to memory of 1968 1648 3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe chrome.exe PID 1648 wrote to memory of 1968 1648 3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe chrome.exe PID 1968 wrote to memory of 936 1968 chrome.exe netsh.exe PID 1968 wrote to memory of 936 1968 chrome.exe netsh.exe PID 1968 wrote to memory of 936 1968 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe"C:\Users\Admin\AppData\Local\Temp\3e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\chrome.exe" "chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\chrome.exeFilesize
156KB
MD54123e4ef9f5d9399d06c2186ff3e6300
SHA17529717bcf12234b31d252f9974dc20072c07189
SHA2563e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4
SHA512cec74f13263f278ff839b596d10abddbdc77bf5778237b90fd9f1830f3861ff38abfa7c51cf73abe99d8be441295683e93cbe1d305d8d5b113b0ebbaf5645e3c
-
C:\Users\Admin\AppData\Roaming\chrome.exeFilesize
156KB
MD54123e4ef9f5d9399d06c2186ff3e6300
SHA17529717bcf12234b31d252f9974dc20072c07189
SHA2563e0baae7fd422648feef63903e375e29e48aaa1146d249f8571a96563ad3a1d4
SHA512cec74f13263f278ff839b596d10abddbdc77bf5778237b90fd9f1830f3861ff38abfa7c51cf73abe99d8be441295683e93cbe1d305d8d5b113b0ebbaf5645e3c
-
memory/936-63-0x0000000000000000-mapping.dmp
-
memory/936-64-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmpFilesize
8KB
-
memory/1648-54-0x0000000000DE0000-0x0000000000E0E000-memory.dmpFilesize
184KB
-
memory/1648-55-0x000000001B086000-0x000000001B0A5000-memory.dmpFilesize
124KB
-
memory/1648-56-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/1648-61-0x000000001B086000-0x000000001B0A5000-memory.dmpFilesize
124KB
-
memory/1968-57-0x0000000000000000-mapping.dmp
-
memory/1968-60-0x0000000000F30000-0x0000000000F5E000-memory.dmpFilesize
184KB
-
memory/1968-62-0x000000001B016000-0x000000001B035000-memory.dmpFilesize
124KB
-
memory/1968-65-0x000000001B016000-0x000000001B035000-memory.dmpFilesize
124KB