Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
15-09-2022 15:02
Behavioral task
behavioral1
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win10v2004-20220812-en
General
-
Target
13715a69c1f82961fa3d3205b9368c83.exe
-
Size
27KB
-
MD5
13715a69c1f82961fa3d3205b9368c83
-
SHA1
3b15a0c5fb6a177e12b3de81c7fc30dfda58555a
-
SHA256
0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
-
SHA512
f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
SSDEEP
384:5L96uj/+AU9038hfOexuaP39hRnMZAQk93vmhm7UMKmIEecKdbXTzm9bVhcam671:JE0mkspJtyZA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
2.tcp.eu.ngrok.io:12633
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 1020 Payload.exe -
Drops startup file 4 IoCs
Processes:
Payload.exe13715a69c1f82961fa3d3205b9368c83.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 13715a69c1f82961fa3d3205b9368c83.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Loads dropped DLL 1 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exepid process 1204 13715a69c1f82961fa3d3205b9368c83.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Payload.exe13715a69c1f82961fa3d3205b9368c83.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 13715a69c1f82961fa3d3205b9368c83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe Token: 33 1020 Payload.exe Token: SeIncBasePriorityPrivilege 1020 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exedescription pid process target process PID 1204 wrote to memory of 1020 1204 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1204 wrote to memory of 1020 1204 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1204 wrote to memory of 1020 1204 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1204 wrote to memory of 1020 1204 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1204 wrote to memory of 1248 1204 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 1204 wrote to memory of 1248 1204 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 1204 wrote to memory of 1248 1204 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 1204 wrote to memory of 1248 1204 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c1452b52650e680e2944d95c147792c4
SHA1ea43c2c65dab0025bc6baf7204e53a753dd0040a
SHA2562b6435f7e773215e1baaebfc6a99248d4a2957a361f5d21116eda472e8b8a83b
SHA51222008295d0f01273bd10f913f2daf36dea199e7ba39c688b7aac7d7f0ac1696fe0563c24d611d538f0f177b6e97c723c95372d3b9a0148aea135a99507c7fbdb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1014B
MD50c43f3ae1462959c3b025fbc4b160134
SHA1e7663491e99fede430a82ec32158b53c7b79472e
SHA2568a86b2987e0ea6127f8f88520767b236d015287aa9d6bcaafc114eca95d32586
SHA5124e97ce677aba702c938700fc23452dc408058f68054a84de915861da90dc4a9f34650facaf04ec4beac150d4a56be8ff95aafe730ad010bbf1fadb6c484aa05c
-
\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
memory/1020-57-0x0000000000000000-mapping.dmp
-
memory/1020-65-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1020-66-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1204-54-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1204-55-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1204-63-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1248-59-0x0000000000000000-mapping.dmp