Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
08-08-2022 11:34
Behavioral task
behavioral1
Sample
animalhaha.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
animalhaha.exe
Resource
win10v2004-20220721-en
General
-
Target
animalhaha.exe
-
Size
27KB
-
MD5
f24251c4a9bc8f5613026d85ac28dbab
-
SHA1
9eb4b74cee39a1f44241b449fc872710f884924f
-
SHA256
ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
-
SHA512
b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
Malware Config
Extracted
njrat
v2.0
HacKed
194.5.98.188:4003
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PowerPoint 2016.exepid process 1624 PowerPoint 2016.exe -
Drops startup file 5 IoCs
Processes:
attrib.exeanimalhaha.exePowerPoint 2016.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk animalhaha.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk PowerPoint 2016.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe -
Loads dropped DLL 1 IoCs
Processes:
animalhaha.exepid process 2000 animalhaha.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\PowerPoint 2016.exe" animalhaha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
PowerPoint 2016.exedescription pid process Token: SeDebugPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe Token: 33 1624 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 1624 PowerPoint 2016.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription pid process target process PID 2000 wrote to memory of 1624 2000 animalhaha.exe PowerPoint 2016.exe PID 2000 wrote to memory of 1624 2000 animalhaha.exe PowerPoint 2016.exe PID 2000 wrote to memory of 1624 2000 animalhaha.exe PowerPoint 2016.exe PID 2000 wrote to memory of 1624 2000 animalhaha.exe PowerPoint 2016.exe PID 2000 wrote to memory of 1396 2000 animalhaha.exe attrib.exe PID 2000 wrote to memory of 1396 2000 animalhaha.exe attrib.exe PID 2000 wrote to memory of 1396 2000 animalhaha.exe attrib.exe PID 2000 wrote to memory of 1396 2000 animalhaha.exe attrib.exe PID 1624 wrote to memory of 1716 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 1716 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 1716 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 1716 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 428 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 428 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 428 1624 PowerPoint 2016.exe attrib.exe PID 1624 wrote to memory of 428 1624 PowerPoint 2016.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1396 attrib.exe 1716 attrib.exe 428 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD56ef25b3eced762068903a3dd7b87d56c
SHA1a03a3ebc3428b8d0237866ae884034dd5f3b4464
SHA256b2276962b30133844df951f788988be2eda64fa29dd8df34222c0c07db714c0c
SHA512bd60b46e08fa8bbbff31ea7b4835cfefbe9c4e25669b263c8bccac243f376045d128cc5500ecb0de988e2ed2ff2884099f6b7589b7128812496c318434bec1d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1022B
MD522a175d80d24c1d69756edb3d66485d1
SHA1963e69344259b827ef50220f5d0e6eb5fb48c874
SHA25693ec5e5903727794605a8db5715615d70a95e19bc1ab0e48504f0ff1ddabe887
SHA512b4f5b0e55a1a16f41235fd541cb0fe313a15b116b049a7fcc78bf5b5af5610822427acfce3209533acb64fee4a0fbfca7b68d11e3d3372118a0a91d016235ea2
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
memory/428-67-0x0000000000000000-mapping.dmp
-
memory/1396-60-0x0000000000000000-mapping.dmp
-
memory/1624-57-0x0000000000000000-mapping.dmp
-
memory/1624-65-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/1624-69-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/1716-66-0x0000000000000000-mapping.dmp
-
memory/2000-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/2000-64-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/2000-55-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB