Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-08-2022 21:10
Static task
static1
Behavioral task
behavioral1
Sample
0030834bf67509153237ac832bc68649.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0030834bf67509153237ac832bc68649.exe
Resource
win10v2004-20220812-en
General
-
Target
0030834bf67509153237ac832bc68649.exe
-
Size
351KB
-
MD5
0030834bf67509153237ac832bc68649
-
SHA1
1e4802307ae8e4a8c75bb384762f4cd6db676884
-
SHA256
bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
-
SHA512
9a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
Malware Config
Extracted
njrat
0.7d
HacKed
easralahtane.ddns.net:3973
de691f5a23326e1eca32cf33144b3175
-
reg_key
de691f5a23326e1eca32cf33144b3175
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskhost .exepid process 956 taskhost .exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
0030834bf67509153237ac832bc68649.exepid process 1452 0030834bf67509153237ac832bc68649.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskhost .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\de691f5a23326e1eca32cf33144b3175 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskhost .exe\" .." taskhost .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\de691f5a23326e1eca32cf33144b3175 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskhost .exe\" .." taskhost .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 6 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800} 0030834bf67509153237ac832bc68649.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID 0030834bf67509153237ac832bc68649.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "52B1oNhfHYAr31mj+XEMmluPWM0G3HVdnXXdJYHQjNByRJVsg5DkIHwNvDxJMIWDNDxpKbWLdlh4LZQNaZ+Ukk5bPy2gLMeZ9uFXJxrrtDEaZB7T+VGlkRmubNheyvLjsr+Gpi8BTKNdObihHuGo0WizduLcKZljhgzJWM8kwwA=" 0030834bf67509153237ac832bc68649.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "2MUECT+A4VaCN8hFQ2EVWTKh40Z2uogrzU8p9+tVD/y6XrFyDlBoxDJJLVXgXPZCjYYRokgeU+SuyTI2FXSaeXsb3QsrRN3QmgCeup8lRwJaQfiI6GMB4v6PXZwYRskRF1lVNQcw/8Q7wsjJ2yCUhxMyr+ccoBqc9zvzPAP/aec=" taskhost .exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "xjniDDbwKpwg3C4Z31/ndYQujHTnDwYir6+Rn/Sy8n4ArgejzhPUgCcMNKpZOa3dI7iv97cpyW/pnfYiKGmmkj5mu33LX3ZkQdkcvnD59ui1AQr/yZYF1qmh5QJqhqhWCdqm9H+Jie2nU1jhynQuYHxkZUXMLxXAL2MnyuSptM4=" taskhost .exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "eI0S7KcWSdMgqzwh30JHioUKGAvdiDRNPEiK86AGN1yLHAuvcaTUITZ3s0eUytuL/u/HIvr4KbjP/10zqMeuj0buJes8eIKr/wI1xoZmQ0e5m/JL2ZN3hci7pTYUaZ1oEIsAQn46FCXbCKU6HPu18BGpdXp7+RfX9Opw4/RgQpU=" taskhost .exe -
NTFS ADS 3 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp:{6B003300-6A00-3100-3600-510068003300} 0030834bf67509153237ac832bc68649.exe File created C:\Users\Admin\AppData\Roaming:{6B003300-6A00-3100-3600-510068003300} taskhost .exe File opened for modification C:\Users\Admin\AppData\Roaming:{6B003300-6A00-3100-3600-510068003300} taskhost .exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exepid process 1452 0030834bf67509153237ac832bc68649.exe 1452 0030834bf67509153237ac832bc68649.exe 956 taskhost .exe 956 taskhost .exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription pid process Token: SeDebugPrivilege 1452 0030834bf67509153237ac832bc68649.exe Token: SeDebugPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe Token: 33 956 taskhost .exe Token: SeIncBasePriorityPrivilege 956 taskhost .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription pid process target process PID 1452 wrote to memory of 956 1452 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 1452 wrote to memory of 956 1452 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 1452 wrote to memory of 956 1452 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 1452 wrote to memory of 956 1452 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 956 wrote to memory of 908 956 taskhost .exe netsh.exe PID 956 wrote to memory of 908 956 taskhost .exe netsh.exe PID 956 wrote to memory of 908 956 taskhost .exe netsh.exe PID 956 wrote to memory of 908 956 taskhost .exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0030834bf67509153237ac832bc68649.exe"C:\Users\Admin\AppData\Local\Temp\0030834bf67509153237ac832bc68649.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\taskhost .exe"C:\Users\Admin\AppData\Roaming\taskhost .exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\taskhost .exe" "taskhost .exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Isolated Storage\{6B003300-6A00-3100-3600-510068003300}Filesize
344B
MD5b7dc3d4d2458b0ac328d4923926acf7c
SHA15502eecb50b242c473c77967ce897c30bd2b8d10
SHA2566ad38d320a4229d62ad4931ff0eede30714ba77d9f0d9e775c9477438ea7f584
SHA512228844c25aa3a485c0f24fd9f00b0e956b81b3bdf4bca0ed56993b6bb91dccd2f1cfe616c44d564459b2e13bc64d395809e977248ddb34e66452511a80b964d6
-
C:\Users\Admin\AppData\Local\Temp\MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\taskhost .exeFilesize
351KB
MD50030834bf67509153237ac832bc68649
SHA11e4802307ae8e4a8c75bb384762f4cd6db676884
SHA256bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
SHA5129a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
-
C:\Users\Admin\AppData\Roaming\taskhost .exeFilesize
351KB
MD50030834bf67509153237ac832bc68649
SHA11e4802307ae8e4a8c75bb384762f4cd6db676884
SHA256bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
SHA5129a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
-
\Users\Admin\AppData\Roaming\taskhost .exeFilesize
351KB
MD50030834bf67509153237ac832bc68649
SHA11e4802307ae8e4a8c75bb384762f4cd6db676884
SHA256bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
SHA5129a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
-
memory/908-68-0x0000000000000000-mapping.dmp
-
memory/956-64-0x00000000000A0000-0x00000000000FE000-memory.dmpFilesize
376KB
-
memory/956-70-0x0000000004CC5000-0x0000000004CD6000-memory.dmpFilesize
68KB
-
memory/956-67-0x0000000004CC5000-0x0000000004CD6000-memory.dmpFilesize
68KB
-
memory/956-59-0x0000000000000000-mapping.dmp
-
memory/1452-57-0x00000000009B0000-0x00000000009BC000-memory.dmpFilesize
48KB
-
memory/1452-63-0x0000000000CC5000-0x0000000000CD6000-memory.dmpFilesize
68KB
-
memory/1452-54-0x0000000001170000-0x00000000011CE000-memory.dmpFilesize
376KB
-
memory/1452-56-0x0000000000CC5000-0x0000000000CD6000-memory.dmpFilesize
68KB
-
memory/1452-55-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB