Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15-09-2022 15:02
Behavioral task
behavioral1
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win10v2004-20220901-en
General
-
Target
13715a69c1f82961fa3d3205b9368c83.exe
-
Size
27KB
-
MD5
13715a69c1f82961fa3d3205b9368c83
-
SHA1
3b15a0c5fb6a177e12b3de81c7fc30dfda58555a
-
SHA256
0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
-
SHA512
f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
SSDEEP
384:5L96uj/+AU9038hfOexuaP39hRnMZAQk93vmhm7UMKmIEecKdbXTzm9bVhcam671:JE0mkspJtyZA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
2.tcp.eu.ngrok.io:12633
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 1744 Payload.exe -
Drops startup file 4 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 13715a69c1f82961fa3d3205b9368c83.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Loads dropped DLL 1 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exepid process 1788 13715a69c1f82961fa3d3205b9368c83.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 13715a69c1f82961fa3d3205b9368c83.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe Token: 33 1744 Payload.exe Token: SeIncBasePriorityPrivilege 1744 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exedescription pid process target process PID 1788 wrote to memory of 1744 1788 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1788 wrote to memory of 1744 1788 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1788 wrote to memory of 1744 1788 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1788 wrote to memory of 1744 1788 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 1788 wrote to memory of 1568 1788 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 1788 wrote to memory of 1568 1788 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 1788 wrote to memory of 1568 1788 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 1788 wrote to memory of 1568 1788 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5f345e1c49c052602fb8b548d39dade03
SHA1e364dc4b0df7f219d56d1ed451685d5111cedac3
SHA25671a185003b38f4acfd621c891f97cebdd92620bba7b300de8c66d793b18b0d92
SHA512ff0e090bdf54a603d4174378b46e76be1a53a8590ed4a787a8f140978588da774602799e916359110a1d48f91bb2cbda0fef1c1b41f4d960feda0e18ecc569a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1018B
MD51ad6c4d7d80b5303ae85569d6ccd6afa
SHA144ef9137278b1376d80b66d33501cc6cca6e456d
SHA256867631ca4a0725392ced256f67d5ebaf917e3d7564c7e3189da3b8729dd7fa56
SHA512d8d8cf943522721133b2fff2392563c3f947241c56edc918d74be92c08444ff2eadbbb23c822d2bc8b5e9999b743bec288aa23f54cab2c770fa50671ee215c03
-
\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
memory/1568-60-0x0000000000000000-mapping.dmp
-
memory/1744-57-0x0000000000000000-mapping.dmp
-
memory/1744-65-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/1744-66-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/1788-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/1788-55-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/1788-63-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB