Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-08-2022 20:16
Static task
static1
Behavioral task
behavioral1
Sample
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
Resource
win10v2004-20220812-en
General
-
Target
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
-
Size
318KB
-
MD5
ae4a2e2db65cd1fbcf3bc34fe2cd89f9
-
SHA1
5025965af3e3a5bf79629b90c9f8ba62546ee87f
-
SHA256
b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa
-
SHA512
34932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55
Malware Config
Extracted
njrat
0.7d
HacKed
easralahtane.ddns.net:3973
d2affd0990860fff6a059dbd50f93a64
-
reg_key
d2affd0990860fff6a059dbd50f93a64
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskhost .exepid process 1692 taskhost .exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exepid process 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskhost .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\d2affd0990860fff6a059dbd50f93a64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskhost .exe\" .." taskhost .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d2affd0990860fff6a059dbd50f93a64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskhost .exe\" .." taskhost .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 6 IoCs
Processes:
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "Sx1fcmIeumdurnNTZkqyrcmCrlKhOL1Nx/ZSs1awC9S4kqfGHkcJ98bqvVKqBAg1MjjS1cLze6lpCne+K8CLGCOWcw20khO7MA5A1QosZ3vFZ6l71P9e5/Q9fIYT/hoFtzX7nCneOEbTBCH/IVMBTR70dGyHo3Yimk0sUU92KtU=" ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "X4KyyYwCH5jhONf+kSXiL4UiH7723f+0IVvfpPAPjSqtRGu7yNF+N200/periTXhwRq/ZheccaZq/YtLE84DAN4ivmYBbxCE11xM9wEBo8UhGceh4+K6zyfYtAaj0v0Qo/W4yV4wxtgU21ovte8hF5xAY3XI4LELhfHtiERDrLQ=" taskhost .exe Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "KSlS897R5VadAqaYnXVvrU8YtLc4we3fs/ibVS/umtjyT66mEcVjT1vc2qc03jjuvSG33J1zltdokLQ4j+APrf7DJ4CLe/XmzQqbQzp1tz9+quAMcsYyFjau0aBtK3ei0HZOBChHYyzgL/OulrVS6YFFZUWefEcBLF2EzSxttAo=" taskhost .exe Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "rgyCtKI/Hw4TWs8IqmZJRp0OFo7NSOnQ0tRbyZPlH48y1olYAdF0SO6/raAY1obl/J8L0nzPaC6P4sxGLfaHJ0UY1u8zAXgzSNa+dac1eIq4ml1B2+Kn7VotbBVaZH1mRbLwOYwjRdLSrvGTUgsVh7XZb9+iag10BXW38lh7Y+4=" taskhost .exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100} ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe -
NTFS ADS 2 IoCs
Processes:
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp:{2B005200-6900-6C00-7200-440042007700} ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe File opened for modification C:\Users\Admin\AppData\Local\Temp:{2B005200-6900-6C00-7200-440042007700} taskhost .exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exepid process 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe 1692 taskhost .exe 1692 taskhost .exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exedescription pid process Token: SeDebugPrivilege 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe Token: SeDebugPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe Token: 33 1692 taskhost .exe Token: SeIncBasePriorityPrivilege 1692 taskhost .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exedescription pid process target process PID 544 wrote to memory of 1692 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe taskhost .exe PID 544 wrote to memory of 1692 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe taskhost .exe PID 544 wrote to memory of 1692 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe taskhost .exe PID 544 wrote to memory of 1692 544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe taskhost .exe PID 1692 wrote to memory of 1696 1692 taskhost .exe netsh.exe PID 1692 wrote to memory of 1696 1692 taskhost .exe netsh.exe PID 1692 wrote to memory of 1696 1692 taskhost .exe netsh.exe PID 1692 wrote to memory of 1696 1692 taskhost .exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe"C:\Users\Admin\AppData\Local\Temp\ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskhost .exe"C:\Users\Admin\AppData\Local\Temp\taskhost .exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost .exe" "taskhost .exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Isolated Storage\{2B005200-6900-6C00-7200-440042007700}Filesize
344B
MD500194528aabdc8e6c061e9a26c38595e
SHA125f9fc2a5bb975499ea064b15a221523aa41a5e5
SHA256c8c7a29d4781ed2947ab1e295c66ff9e20a311cf5b4cf811b68647f90b2d0d5e
SHA5127a9cb0302a26d3443911e72068c6a3c09b1560c386d98a77e7848e3f9a6110fd567bad33d8ad8dbee268a09743b0abcbfc181d31de690a1c4d4001f13ddb4e1f
-
C:\Users\Admin\AppData\Local\Temp\MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\taskhost .exeFilesize
318KB
MD5ae4a2e2db65cd1fbcf3bc34fe2cd89f9
SHA15025965af3e3a5bf79629b90c9f8ba62546ee87f
SHA256b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa
SHA51234932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55
-
C:\Users\Admin\AppData\Local\Temp\taskhost .exeFilesize
318KB
MD5ae4a2e2db65cd1fbcf3bc34fe2cd89f9
SHA15025965af3e3a5bf79629b90c9f8ba62546ee87f
SHA256b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa
SHA51234932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55
-
\Users\Admin\AppData\Local\Temp\taskhost .exeFilesize
318KB
MD5ae4a2e2db65cd1fbcf3bc34fe2cd89f9
SHA15025965af3e3a5bf79629b90c9f8ba62546ee87f
SHA256b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa
SHA51234932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55
-
memory/544-54-0x0000000000CB0000-0x0000000000D06000-memory.dmpFilesize
344KB
-
memory/544-55-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/544-56-0x0000000000920000-0x000000000092C000-memory.dmpFilesize
48KB
-
memory/1692-58-0x0000000000000000-mapping.dmp
-
memory/1692-62-0x00000000012B0000-0x0000000001306000-memory.dmpFilesize
344KB
-
memory/1696-65-0x0000000000000000-mapping.dmp