Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-08-2022 21:13
Behavioral task
behavioral1
Sample
1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe
Resource
win10v2004-20220812-en
General
-
Target
1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe
-
Size
48KB
-
MD5
3d0c9b1cbd007a79d0df93c6249a24bc
-
SHA1
940e4787edaae8f71b10ae5574aa0267ec192341
-
SHA256
ea1b0187bbd1a48bd632fddc7e2b367148e13827901cc06e10999a9b3baec8ef
-
SHA512
4a9b6923ee468b45f05df607aa09f961ed262f3b4a5be5116d1335781c957edaecaf94513acc726b904241dc75b4ceb0a72d646f13674d4fa2da97d61664d2b3
Malware Config
Extracted
njrat
0.7d
HacKed
easralahtane.ddns.net:3973
de691f5a23326e1eca32cf33144b3175
-
reg_key
de691f5a23326e1eca32cf33144b3175
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskhost .exepid process 1744 taskhost .exe -
Loads dropped DLL 1 IoCs
Processes:
1452-57-0x00000000009B0000-0x00000000009BC000-memory.exepid process 1648 1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1452-57-0x00000000009B0000-0x00000000009BC000-memory.exedescription pid process target process PID 1648 wrote to memory of 1744 1648 1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe taskhost .exe PID 1648 wrote to memory of 1744 1648 1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe taskhost .exe PID 1648 wrote to memory of 1744 1648 1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe taskhost .exe PID 1648 wrote to memory of 1744 1648 1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe taskhost .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1452-57-0x00000000009B0000-0x00000000009BC000-memory.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\taskhost .exe"C:\Users\Admin\AppData\Roaming\taskhost .exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\taskhost .exeFilesize
48KB
MD53d0c9b1cbd007a79d0df93c6249a24bc
SHA1940e4787edaae8f71b10ae5574aa0267ec192341
SHA256ea1b0187bbd1a48bd632fddc7e2b367148e13827901cc06e10999a9b3baec8ef
SHA5124a9b6923ee468b45f05df607aa09f961ed262f3b4a5be5116d1335781c957edaecaf94513acc726b904241dc75b4ceb0a72d646f13674d4fa2da97d61664d2b3
-
C:\Users\Admin\AppData\Roaming\taskhost .exeFilesize
48KB
MD53d0c9b1cbd007a79d0df93c6249a24bc
SHA1940e4787edaae8f71b10ae5574aa0267ec192341
SHA256ea1b0187bbd1a48bd632fddc7e2b367148e13827901cc06e10999a9b3baec8ef
SHA5124a9b6923ee468b45f05df607aa09f961ed262f3b4a5be5116d1335781c957edaecaf94513acc726b904241dc75b4ceb0a72d646f13674d4fa2da97d61664d2b3
-
\Users\Admin\AppData\Roaming\taskhost .exeFilesize
48KB
MD53d0c9b1cbd007a79d0df93c6249a24bc
SHA1940e4787edaae8f71b10ae5574aa0267ec192341
SHA256ea1b0187bbd1a48bd632fddc7e2b367148e13827901cc06e10999a9b3baec8ef
SHA5124a9b6923ee468b45f05df607aa09f961ed262f3b4a5be5116d1335781c957edaecaf94513acc726b904241dc75b4ceb0a72d646f13674d4fa2da97d61664d2b3
-
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1648-55-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1648-61-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1744-57-0x0000000000000000-mapping.dmp
-
memory/1744-62-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB