Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 11:33
Behavioral task
behavioral1
Sample
animalhaha.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
animalhaha.exe
Resource
win10v2004-20220721-en
General
-
Target
animalhaha.exe
-
Size
27KB
-
MD5
f24251c4a9bc8f5613026d85ac28dbab
-
SHA1
9eb4b74cee39a1f44241b449fc872710f884924f
-
SHA256
ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
-
SHA512
b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
Malware Config
Extracted
njrat
v2.0
HacKed
194.5.98.188:4003
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PowerPoint 2016.exepid process 5036 PowerPoint 2016.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
animalhaha.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation animalhaha.exe -
Drops startup file 5 IoCs
Processes:
attrib.exeanimalhaha.exePowerPoint 2016.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk animalhaha.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk PowerPoint 2016.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\PowerPoint 2016.exe" animalhaha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
PowerPoint 2016.exedescription pid process Token: SeDebugPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe Token: 33 5036 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 5036 PowerPoint 2016.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription pid process target process PID 4468 wrote to memory of 5036 4468 animalhaha.exe PowerPoint 2016.exe PID 4468 wrote to memory of 5036 4468 animalhaha.exe PowerPoint 2016.exe PID 4468 wrote to memory of 5036 4468 animalhaha.exe PowerPoint 2016.exe PID 4468 wrote to memory of 320 4468 animalhaha.exe attrib.exe PID 4468 wrote to memory of 320 4468 animalhaha.exe attrib.exe PID 4468 wrote to memory of 320 4468 animalhaha.exe attrib.exe PID 5036 wrote to memory of 1464 5036 PowerPoint 2016.exe attrib.exe PID 5036 wrote to memory of 1464 5036 PowerPoint 2016.exe attrib.exe PID 5036 wrote to memory of 1464 5036 PowerPoint 2016.exe attrib.exe PID 5036 wrote to memory of 4584 5036 PowerPoint 2016.exe attrib.exe PID 5036 wrote to memory of 4584 5036 PowerPoint 2016.exe attrib.exe PID 5036 wrote to memory of 4584 5036 PowerPoint 2016.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1464 attrib.exe 4584 attrib.exe 320 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5cf482bb09e9dbf411256b213a04ade06
SHA10cd5ed439bec0f31f84a197cef74111a41657a8e
SHA256be69bc1c18319a1563d575b9321fffa594222ed2f10de6df5c682f5df7ef9f77
SHA5127a689df7d2f477d32070c0598c7fdd769353457fa4eea25d0807c1ecf8493d6346802b84baa47ae96ee9d49476ecac404789349b464fcd9ca1fb6e51e48c3b01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD524b7db4ec9e164c394a3fb5ac47f1de7
SHA103f133e0cb9f354ddd6237b9c997eab7e7627215
SHA2568c456486883dcdc67c993c25e9cdd7153441a91158eefd97483414661f424e48
SHA512381603374ae770edbf72e69fc66f7bf7455177f6682b19395ff3d32ae95b04e2829c5c0f718cf2170b8896791a6583610bd7a08a89b5b25482085eee2ccd4704
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
memory/320-135-0x0000000000000000-mapping.dmp
-
memory/1464-140-0x0000000000000000-mapping.dmp
-
memory/4468-137-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4468-130-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4468-131-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4584-141-0x0000000000000000-mapping.dmp
-
memory/5036-139-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/5036-132-0x0000000000000000-mapping.dmp
-
memory/5036-143-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB