Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-09-2022 19:21
Behavioral task
behavioral1
Sample
057d62261912947a1f18f01aa7afd23f.exe
Resource
win7-20220812-en
General
-
Target
057d62261912947a1f18f01aa7afd23f.exe
-
Size
37KB
-
MD5
057d62261912947a1f18f01aa7afd23f
-
SHA1
31a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
-
SHA256
0633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
-
SHA512
7393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
SSDEEP
384:AkqIiuVjtD+P3V+y0bf2TKtvN4suKfdrAF+rMRTyN/0L+EcoinblneHQM3epzXHz:DNmV10bf2TKtClK1rM+rMRa8Nu5xt
Malware Config
Extracted
njrat
im523
HacKed
8.tcp.ngrok.io:10195
e5fb6e8df0343904c919e4379c7d6680
-
reg_key
e5fb6e8df0343904c919e4379c7d6680
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
OneTapV4.exepid process 1896 OneTapV4.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
057d62261912947a1f18f01aa7afd23f.exepid process 364 057d62261912947a1f18f01aa7afd23f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
OneTapV4.exedescription pid process Token: SeDebugPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe Token: 33 1896 OneTapV4.exe Token: SeIncBasePriorityPrivilege 1896 OneTapV4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
057d62261912947a1f18f01aa7afd23f.exeOneTapV4.exedescription pid process target process PID 364 wrote to memory of 1896 364 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 364 wrote to memory of 1896 364 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 364 wrote to memory of 1896 364 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 364 wrote to memory of 1896 364 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 1896 wrote to memory of 2004 1896 OneTapV4.exe netsh.exe PID 1896 wrote to memory of 2004 1896 OneTapV4.exe netsh.exe PID 1896 wrote to memory of 2004 1896 OneTapV4.exe netsh.exe PID 1896 wrote to memory of 2004 1896 OneTapV4.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\057d62261912947a1f18f01aa7afd23f.exe"C:\Users\Admin\AppData\Local\Temp\057d62261912947a1f18f01aa7afd23f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OneTapV4.exe"C:\Users\Admin\AppData\Local\Temp\OneTapV4.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\OneTapV4.exe" "OneTapV4.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OneTapV4.exeFilesize
37KB
MD5057d62261912947a1f18f01aa7afd23f
SHA131a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
SHA2560633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
SHA5127393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
C:\Users\Admin\AppData\Local\Temp\OneTapV4.exeFilesize
37KB
MD5057d62261912947a1f18f01aa7afd23f
SHA131a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
SHA2560633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
SHA5127393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
\Users\Admin\AppData\Local\Temp\OneTapV4.exeFilesize
37KB
MD5057d62261912947a1f18f01aa7afd23f
SHA131a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
SHA2560633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
SHA5127393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
memory/364-54-0x0000000075131000-0x0000000075133000-memory.dmpFilesize
8KB
-
memory/364-55-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/364-61-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/1896-57-0x0000000000000000-mapping.dmp
-
memory/1896-62-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/1896-65-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/2004-63-0x0000000000000000-mapping.dmp