Analysis
-
max time kernel
153s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 19:55
Behavioral task
behavioral1
Sample
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe
Resource
win10v2004-20220721-en
General
-
Target
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe
-
Size
23KB
-
MD5
20790f1a5c5557ef801926d7ce1e4498
-
SHA1
936eae636323d512932d84a45a930626a684b2a9
-
SHA256
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d
-
SHA512
9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b
Malware Config
Extracted
njrat
0.7d
HacKed
na33waaf.no-ip.biz:2485
efb8374654449498f987b4a0e64f2f90
-
reg_key
efb8374654449498f987b4a0e64f2f90
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updaate.exepid process 1916 updaate.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
updaate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efb8374654449498f987b4a0e64f2f90.exe updaate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efb8374654449498f987b4a0e64f2f90.exe updaate.exe -
Loads dropped DLL 1 IoCs
Processes:
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exepid process 1732 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
updaate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\efb8374654449498f987b4a0e64f2f90 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\updaate.exe\" .." updaate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efb8374654449498f987b4a0e64f2f90 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\updaate.exe\" .." updaate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
updaate.exedescription pid process Token: SeDebugPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe Token: 33 1916 updaate.exe Token: SeIncBasePriorityPrivilege 1916 updaate.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exeupdaate.exedescription pid process target process PID 1732 wrote to memory of 1916 1732 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe updaate.exe PID 1732 wrote to memory of 1916 1732 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe updaate.exe PID 1732 wrote to memory of 1916 1732 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe updaate.exe PID 1732 wrote to memory of 1916 1732 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe updaate.exe PID 1916 wrote to memory of 900 1916 updaate.exe netsh.exe PID 1916 wrote to memory of 900 1916 updaate.exe netsh.exe PID 1916 wrote to memory of 900 1916 updaate.exe netsh.exe PID 1916 wrote to memory of 900 1916 updaate.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe"C:\Users\Admin\AppData\Local\Temp\61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\updaate.exe"C:\Users\Admin\AppData\Local\Temp\updaate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\updaate.exe" "updaate.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\updaate.exeFilesize
23KB
MD520790f1a5c5557ef801926d7ce1e4498
SHA1936eae636323d512932d84a45a930626a684b2a9
SHA25661d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d
SHA5129d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b
-
C:\Users\Admin\AppData\Local\Temp\updaate.exeFilesize
23KB
MD520790f1a5c5557ef801926d7ce1e4498
SHA1936eae636323d512932d84a45a930626a684b2a9
SHA25661d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d
SHA5129d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b
-
\Users\Admin\AppData\Local\Temp\updaate.exeFilesize
23KB
MD520790f1a5c5557ef801926d7ce1e4498
SHA1936eae636323d512932d84a45a930626a684b2a9
SHA25661d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d
SHA5129d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b
-
memory/900-64-0x0000000000000000-mapping.dmp
-
memory/1732-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/1732-55-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1732-56-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1732-62-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1916-58-0x0000000000000000-mapping.dmp
-
memory/1916-63-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1916-66-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB