Analysis
-
max time kernel
148s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-07-2022 18:46
Static task
static1
Behavioral task
behavioral1
Sample
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe
Resource
win7-20220414-en
General
-
Target
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe
-
Size
168KB
-
MD5
0ead8bf1a82f825a23acba001fa5d8f4
-
SHA1
d53abb4494d355f6954cea7ba866588593934992
-
SHA256
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b
-
SHA512
5fda6c76bb39547844114ded578f7881fa9433d8da45d4df67c48cc17a9fce90b90c918e9cc4611b6bb86cef444cb00b11f10d219d3d1eb33f713b4741f8dc05
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1234
cc0012ca95288ee5cb550c3649e082f9
-
reg_key
cc0012ca95288ee5cb550c3649e082f9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ben.exepid process 684 ben.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exepid process 1276 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
ben.exedescription pid process Token: SeDebugPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe Token: 33 684 ben.exe Token: SeIncBasePriorityPrivilege 684 ben.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exeben.exedescription pid process target process PID 1276 wrote to memory of 684 1276 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 1276 wrote to memory of 684 1276 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 1276 wrote to memory of 684 1276 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 1276 wrote to memory of 684 1276 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 684 wrote to memory of 2044 684 ben.exe netsh.exe PID 684 wrote to memory of 2044 684 ben.exe netsh.exe PID 684 wrote to memory of 2044 684 ben.exe netsh.exe PID 684 wrote to memory of 2044 684 ben.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe"C:\Users\Admin\AppData\Local\Temp\c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ben.exe"C:\Users\Admin\AppData\Local\Temp\ben.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ben.exe" "ben.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ben.exeFilesize
23KB
MD543e1b731ab30055f534ef2276eaa72fb
SHA19c648a33edca6b2c6ae54784c219da59a3682c3b
SHA256e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239
SHA5122e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c
-
C:\Users\Admin\AppData\Local\Temp\ben.exeFilesize
23KB
MD543e1b731ab30055f534ef2276eaa72fb
SHA19c648a33edca6b2c6ae54784c219da59a3682c3b
SHA256e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239
SHA5122e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c
-
\Users\Admin\AppData\Local\Temp\ben.exeFilesize
23KB
MD543e1b731ab30055f534ef2276eaa72fb
SHA19c648a33edca6b2c6ae54784c219da59a3682c3b
SHA256e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239
SHA5122e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c
-
memory/684-57-0x0000000000000000-mapping.dmp
-
memory/684-61-0x000000006FD90000-0x000000007033B000-memory.dmpFilesize
5.7MB
-
memory/684-64-0x000000006FD90000-0x000000007033B000-memory.dmpFilesize
5.7MB
-
memory/1276-54-0x0000000000B30000-0x0000000000B5A000-memory.dmpFilesize
168KB
-
memory/1276-55-0x0000000076C01000-0x0000000076C03000-memory.dmpFilesize
8KB
-
memory/2044-62-0x0000000000000000-mapping.dmp