Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-09-2022 12:22
Behavioral task
behavioral1
Sample
255e87bd4a3dcd9a9029d28789618f55.exe
Resource
win7-20220812-en
General
-
Target
255e87bd4a3dcd9a9029d28789618f55.exe
-
Size
23KB
-
MD5
255e87bd4a3dcd9a9029d28789618f55
-
SHA1
bfe289ecba86b3685be8092110deb54556824e6f
-
SHA256
e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
-
SHA512
6e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
SSDEEP
384:n8aY1ia0N/IH+WUiWiLcXyUTly2Rc87po6ngB8W+tqlf5mRvR6JZlbw8hqIusZzM:m1Re/E+WUiW6ci6NR7tZRpcnut
Malware Config
Extracted
njrat
0.7d
HacKed
51.68.160.90:5552
e1c9d16af5e1738b14f272c73a4cddae
-
reg_key
e1c9d16af5e1738b14f272c73a4cddae
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Host Process for Windows Tasks.exepid process 1952 Host Process for Windows Tasks.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Host Process for Windows Tasks.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1c9d16af5e1738b14f272c73a4cddae.exe Host Process for Windows Tasks.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1c9d16af5e1738b14f272c73a4cddae.exe Host Process for Windows Tasks.exe -
Loads dropped DLL 1 IoCs
Processes:
255e87bd4a3dcd9a9029d28789618f55.exepid process 1508 255e87bd4a3dcd9a9029d28789618f55.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host Process for Windows Tasks.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1c9d16af5e1738b14f272c73a4cddae = "\"C:\\Users\\Admin\\AppData\\Roaming\\Host Process for Windows Tasks.exe\" .." Host Process for Windows Tasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e1c9d16af5e1738b14f272c73a4cddae = "\"C:\\Users\\Admin\\AppData\\Roaming\\Host Process for Windows Tasks.exe\" .." Host Process for Windows Tasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Host Process for Windows Tasks.exedescription pid process Token: SeDebugPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe Token: 33 1952 Host Process for Windows Tasks.exe Token: SeIncBasePriorityPrivilege 1952 Host Process for Windows Tasks.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
255e87bd4a3dcd9a9029d28789618f55.exeHost Process for Windows Tasks.exedescription pid process target process PID 1508 wrote to memory of 1952 1508 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 1508 wrote to memory of 1952 1508 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 1508 wrote to memory of 1952 1508 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 1508 wrote to memory of 1952 1508 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 1952 wrote to memory of 1160 1952 Host Process for Windows Tasks.exe netsh.exe PID 1952 wrote to memory of 1160 1952 Host Process for Windows Tasks.exe netsh.exe PID 1952 wrote to memory of 1160 1952 Host Process for Windows Tasks.exe netsh.exe PID 1952 wrote to memory of 1160 1952 Host Process for Windows Tasks.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\255e87bd4a3dcd9a9029d28789618f55.exe"C:\Users\Admin\AppData\Local\Temp\255e87bd4a3dcd9a9029d28789618f55.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe"C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe" "Host Process for Windows Tasks.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exeFilesize
23KB
MD5255e87bd4a3dcd9a9029d28789618f55
SHA1bfe289ecba86b3685be8092110deb54556824e6f
SHA256e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
SHA5126e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exeFilesize
23KB
MD5255e87bd4a3dcd9a9029d28789618f55
SHA1bfe289ecba86b3685be8092110deb54556824e6f
SHA256e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
SHA5126e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exeFilesize
23KB
MD5255e87bd4a3dcd9a9029d28789618f55
SHA1bfe289ecba86b3685be8092110deb54556824e6f
SHA256e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
SHA5126e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
memory/1160-63-0x0000000000000000-mapping.dmp
-
memory/1508-54-0x0000000074C91000-0x0000000074C93000-memory.dmpFilesize
8KB
-
memory/1508-55-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB
-
memory/1508-61-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB
-
memory/1952-57-0x0000000000000000-mapping.dmp
-
memory/1952-62-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB
-
memory/1952-65-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB