Analysis
-
max time kernel
153s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
08-08-2022 11:33
Behavioral task
behavioral1
Sample
animalhaha.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
animalhaha.exe
Resource
win10v2004-20220721-en
General
-
Target
animalhaha.exe
-
Size
27KB
-
MD5
f24251c4a9bc8f5613026d85ac28dbab
-
SHA1
9eb4b74cee39a1f44241b449fc872710f884924f
-
SHA256
ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
-
SHA512
b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
Malware Config
Extracted
njrat
v2.0
HacKed
194.5.98.188:4003
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PowerPoint 2016.exepid process 936 PowerPoint 2016.exe -
Drops startup file 5 IoCs
Processes:
animalhaha.exePowerPoint 2016.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk animalhaha.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk PowerPoint 2016.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe -
Loads dropped DLL 1 IoCs
Processes:
animalhaha.exepid process 1800 animalhaha.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\PowerPoint 2016.exe" animalhaha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
PowerPoint 2016.exedescription pid process Token: SeDebugPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe Token: 33 936 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 936 PowerPoint 2016.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription pid process target process PID 1800 wrote to memory of 936 1800 animalhaha.exe PowerPoint 2016.exe PID 1800 wrote to memory of 936 1800 animalhaha.exe PowerPoint 2016.exe PID 1800 wrote to memory of 936 1800 animalhaha.exe PowerPoint 2016.exe PID 1800 wrote to memory of 936 1800 animalhaha.exe PowerPoint 2016.exe PID 1800 wrote to memory of 1124 1800 animalhaha.exe attrib.exe PID 1800 wrote to memory of 1124 1800 animalhaha.exe attrib.exe PID 1800 wrote to memory of 1124 1800 animalhaha.exe attrib.exe PID 1800 wrote to memory of 1124 1800 animalhaha.exe attrib.exe PID 936 wrote to memory of 1784 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1784 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1784 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1784 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1628 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1628 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1628 936 PowerPoint 2016.exe attrib.exe PID 936 wrote to memory of 1628 936 PowerPoint 2016.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1124 attrib.exe 1784 attrib.exe 1628 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:1784 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
PID:1628 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Views/modifies file attributes
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD54fd78950769e5f16abf54d7e41843fa6
SHA19e173d174fa621dba09498174a6a90e174daddce
SHA2563cc93b1292791ce9569a56b6f6944e508f93ff1118b0e9b4ac17754536483656
SHA5129c6f879b77d2e9b591e93d3c04e43ae09fc4051eee60c2af7ffefc5e9f451e35ecf8a0e3b12d9689f41f19bc458066f5f5cb6c30df939360d35c3c5ab294a8ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1022B
MD56ea691472b5ef189fc50449906179853
SHA1c2d825a8cda2ffade06eb1380a1a0faf84bacc53
SHA256586d62a383a9c4780d5d19bf1bfb15328f042212ae0d6ba3a5f3534110e448a4
SHA5120cc332054f28e5b2636231a356e502edcb627db049c955eb3c4df56161a045359f2c3dbd10566c27f4fa760d06d3328ca96c7495f1abb8a8e168e633f9ec5175
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
memory/936-65-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/936-69-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/936-57-0x0000000000000000-mapping.dmp
-
memory/1124-61-0x0000000000000000-mapping.dmp
-
memory/1628-67-0x0000000000000000-mapping.dmp
-
memory/1784-66-0x0000000000000000-mapping.dmp
-
memory/1800-64-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/1800-54-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB
-
memory/1800-55-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB