Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 11:34
Behavioral task
behavioral1
Sample
animalhaha.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
animalhaha.exe
Resource
win10v2004-20220721-en
General
-
Target
animalhaha.exe
-
Size
27KB
-
MD5
f24251c4a9bc8f5613026d85ac28dbab
-
SHA1
9eb4b74cee39a1f44241b449fc872710f884924f
-
SHA256
ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
-
SHA512
b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
Malware Config
Extracted
njrat
v2.0
HacKed
194.5.98.188:4003
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PowerPoint 2016.exepid process 4456 PowerPoint 2016.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
animalhaha.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation animalhaha.exe -
Drops startup file 5 IoCs
Processes:
PowerPoint 2016.exeattrib.exeanimalhaha.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk animalhaha.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk PowerPoint 2016.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe PowerPoint 2016.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
PowerPoint 2016.exeanimalhaha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\PowerPoint 2016.exe" animalhaha.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" PowerPoint 2016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
PowerPoint 2016.exedescription pid process Token: SeDebugPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe Token: 33 4456 PowerPoint 2016.exe Token: SeIncBasePriorityPrivilege 4456 PowerPoint 2016.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
animalhaha.exePowerPoint 2016.exedescription pid process target process PID 4232 wrote to memory of 4456 4232 animalhaha.exe PowerPoint 2016.exe PID 4232 wrote to memory of 4456 4232 animalhaha.exe PowerPoint 2016.exe PID 4232 wrote to memory of 4456 4232 animalhaha.exe PowerPoint 2016.exe PID 4232 wrote to memory of 2828 4232 animalhaha.exe attrib.exe PID 4232 wrote to memory of 2828 4232 animalhaha.exe attrib.exe PID 4232 wrote to memory of 2828 4232 animalhaha.exe attrib.exe PID 4456 wrote to memory of 2084 4456 PowerPoint 2016.exe attrib.exe PID 4456 wrote to memory of 2084 4456 PowerPoint 2016.exe attrib.exe PID 4456 wrote to memory of 2084 4456 PowerPoint 2016.exe attrib.exe PID 4456 wrote to memory of 1424 4456 PowerPoint 2016.exe attrib.exe PID 4456 wrote to memory of 1424 4456 PowerPoint 2016.exe attrib.exe PID 4456 wrote to memory of 1424 4456 PowerPoint 2016.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2828 attrib.exe 2084 attrib.exe 1424 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"C:\Users\Admin\AppData\Local\Temp\animalhaha.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5a31d3e4808ef53881583209e24cca184
SHA1f7bd7c4d112891b54033d5088d4c575c0ce5830c
SHA25644a46e517182173a9f2eb3826a0941cf37b6b3ff8dd99357143a3607a86b6cf4
SHA512bfb20f18e22dfc61838eecde302035e0c3a6c79519500dcff97a9266eecd8b6b9e751497c21f5868613b8adf35fb2225e0ecf26cd89f34809bf4fd8d551771bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD502710adc13af409ee40445149914fff1
SHA1c2adac1d0987b021aef7fb052ebd3c5f31af5293
SHA256658fba2dfed3510880bb7008f80ec04b61d4a5ce080649586d236b171380b13c
SHA51257887f8dbb35609d6e8f5a0c9f6f4c3c067eb110a77bc26cb34b9ea6813db278074c1bc67039dc53b9b4b84f202f94484d2599df7039094951573b9e9d0f07b5
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
C:\Users\Admin\AppData\Roaming\PowerPoint 2016.exeFilesize
27KB
MD5f24251c4a9bc8f5613026d85ac28dbab
SHA19eb4b74cee39a1f44241b449fc872710f884924f
SHA256ba75eac69192e61b4479bc36eac36b4f127298f6b4763a7f4ade06f085c980ac
SHA512b5a1e69fff362cd2863c38b914a3145948aeb33838d3a419ac9f26abf269ac26023541a28c9e2038b94248467cec82063e078d27109d0600fdc29b2c695d32ca
-
memory/1424-141-0x0000000000000000-mapping.dmp
-
memory/2084-140-0x0000000000000000-mapping.dmp
-
memory/2828-135-0x0000000000000000-mapping.dmp
-
memory/4232-138-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4232-130-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4232-131-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4456-136-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4456-132-0x0000000000000000-mapping.dmp
-
memory/4456-143-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB