Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-09-2022 06:01
Behavioral task
behavioral1
Sample
47bea8a28b1e81e3342d594fc57acd8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
47bea8a28b1e81e3342d594fc57acd8e.exe
Resource
win10v2004-20220812-en
General
-
Target
47bea8a28b1e81e3342d594fc57acd8e.exe
-
Size
27KB
-
MD5
47bea8a28b1e81e3342d594fc57acd8e
-
SHA1
d301e8985e53b7baabf9b45df087a017e3817742
-
SHA256
8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
-
SHA512
d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
SSDEEP
384:2LBH6uj/+AU9038hfOexuaP39hRnMYAQk93vmhm7UMKmIEecKdbXTzm9bVhcaL62:wBa0mkspJtyYA/vMHTi9bD
Malware Config
Extracted
njrat
v4.0
HacKed
216.250.251.104:2028
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 1516 Payload.exe -
Drops startup file 2 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 47bea8a28b1e81e3342d594fc57acd8e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Loads dropped DLL 1 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exepid process 1944 47bea8a28b1e81e3342d594fc57acd8e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" 47bea8a28b1e81e3342d594fc57acd8e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe Token: 33 1516 Payload.exe Token: SeIncBasePriorityPrivilege 1516 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exedescription pid process target process PID 1944 wrote to memory of 1516 1944 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 1944 wrote to memory of 1516 1944 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 1944 wrote to memory of 1516 1944 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 1944 wrote to memory of 1516 1944 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 1944 wrote to memory of 1356 1944 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe PID 1944 wrote to memory of 1356 1944 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe PID 1944 wrote to memory of 1356 1944 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe PID 1944 wrote to memory of 1356 1944 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\47bea8a28b1e81e3342d594fc57acd8e.exe"C:\Users\Admin\AppData\Local\Temp\47bea8a28b1e81e3342d594fc57acd8e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5f345e1c49c052602fb8b548d39dade03
SHA1e364dc4b0df7f219d56d1ed451685d5111cedac3
SHA25671a185003b38f4acfd621c891f97cebdd92620bba7b300de8c66d793b18b0d92
SHA512ff0e090bdf54a603d4174378b46e76be1a53a8590ed4a787a8f140978588da774602799e916359110a1d48f91bb2cbda0fef1c1b41f4d960feda0e18ecc569a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1018B
MD51ad6c4d7d80b5303ae85569d6ccd6afa
SHA144ef9137278b1376d80b66d33501cc6cca6e456d
SHA256867631ca4a0725392ced256f67d5ebaf917e3d7564c7e3189da3b8729dd7fa56
SHA512d8d8cf943522721133b2fff2392563c3f947241c56edc918d74be92c08444ff2eadbbb23c822d2bc8b5e9999b743bec288aa23f54cab2c770fa50671ee215c03
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD547bea8a28b1e81e3342d594fc57acd8e
SHA1d301e8985e53b7baabf9b45df087a017e3817742
SHA2568f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
SHA512d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD547bea8a28b1e81e3342d594fc57acd8e
SHA1d301e8985e53b7baabf9b45df087a017e3817742
SHA2568f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
SHA512d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD547bea8a28b1e81e3342d594fc57acd8e
SHA1d301e8985e53b7baabf9b45df087a017e3817742
SHA2568f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
SHA512d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
memory/1356-61-0x0000000000000000-mapping.dmp
-
memory/1516-57-0x0000000000000000-mapping.dmp
-
memory/1516-60-0x00000000003E0000-0x00000000003EE000-memory.dmpFilesize
56KB
-
memory/1944-54-0x0000000000DB0000-0x0000000000DBE000-memory.dmpFilesize
56KB
-
memory/1944-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB