Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
26-07-2022 20:55
Behavioral task
behavioral1
Sample
1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe
Resource
win10v2004-20220721-en
General
-
Target
1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe
-
Size
48KB
-
MD5
6de2929b7b7222f71855fbe910cf307b
-
SHA1
40b5ea79764da3d2b7e04b9ecde4239b8a431bc8
-
SHA256
73e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4
-
SHA512
d5a7663f30536bd7d2757e867c362b574b1dae6ed2bea127991a391ce8e69fc246f2d0d4b183e0e0acc84c666b1498d518470d36049c5e9a092ca18bd0b7dbd9
Malware Config
Extracted
njrat
0.7d
HacKed
easralahtane.ddns.net:3973
4c1e56ee7374309d8fa12b913734d668
-
reg_key
4c1e56ee7374309d8fa12b913734d668
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Microsoft .exepid process 940 Microsoft .exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
1476-56-0x00000000006C0000-0x00000000006CC000-memory.exepid process 1264 1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Microsoft .exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4c1e56ee7374309d8fa12b913734d668 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .exe\" .." Microsoft .exe Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c1e56ee7374309d8fa12b913734d668 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .exe\" .." Microsoft .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Microsoft .exedescription pid process Token: SeDebugPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe Token: 33 940 Microsoft .exe Token: SeIncBasePriorityPrivilege 940 Microsoft .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1476-56-0x00000000006C0000-0x00000000006CC000-memory.exeMicrosoft .exedescription pid process target process PID 1264 wrote to memory of 940 1264 1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe Microsoft .exe PID 1264 wrote to memory of 940 1264 1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe Microsoft .exe PID 1264 wrote to memory of 940 1264 1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe Microsoft .exe PID 1264 wrote to memory of 940 1264 1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe Microsoft .exe PID 940 wrote to memory of 1300 940 Microsoft .exe netsh.exe PID 940 wrote to memory of 1300 940 Microsoft .exe netsh.exe PID 940 wrote to memory of 1300 940 Microsoft .exe netsh.exe PID 940 wrote to memory of 1300 940 Microsoft .exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1476-56-0x00000000006C0000-0x00000000006CC000-memory.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\Microsoft .exe"C:\Users\Admin\AppData\Local\Temp\Microsoft .exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft .exe" "Microsoft .exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .exeFilesize
48KB
MD56de2929b7b7222f71855fbe910cf307b
SHA140b5ea79764da3d2b7e04b9ecde4239b8a431bc8
SHA25673e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4
SHA512d5a7663f30536bd7d2757e867c362b574b1dae6ed2bea127991a391ce8e69fc246f2d0d4b183e0e0acc84c666b1498d518470d36049c5e9a092ca18bd0b7dbd9
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .exeFilesize
48KB
MD56de2929b7b7222f71855fbe910cf307b
SHA140b5ea79764da3d2b7e04b9ecde4239b8a431bc8
SHA25673e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4
SHA512d5a7663f30536bd7d2757e867c362b574b1dae6ed2bea127991a391ce8e69fc246f2d0d4b183e0e0acc84c666b1498d518470d36049c5e9a092ca18bd0b7dbd9
-
\Users\Admin\AppData\Local\Temp\Microsoft .exeFilesize
48KB
MD56de2929b7b7222f71855fbe910cf307b
SHA140b5ea79764da3d2b7e04b9ecde4239b8a431bc8
SHA25673e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4
SHA512d5a7663f30536bd7d2757e867c362b574b1dae6ed2bea127991a391ce8e69fc246f2d0d4b183e0e0acc84c666b1498d518470d36049c5e9a092ca18bd0b7dbd9
-
memory/940-57-0x0000000000000000-mapping.dmp
-
memory/940-62-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/940-65-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1264-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/1264-55-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1264-61-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1300-63-0x0000000000000000-mapping.dmp