Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-09-2022 08:16
Behavioral task
behavioral1
Sample
a258fbc6346a5c5fcc28480a601d284c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a258fbc6346a5c5fcc28480a601d284c.exe
Resource
win10v2004-20220812-en
General
-
Target
a258fbc6346a5c5fcc28480a601d284c.exe
-
Size
27KB
-
MD5
a258fbc6346a5c5fcc28480a601d284c
-
SHA1
d579a1a2d1e79885ad80d4b3eb4d1a294f205399
-
SHA256
c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da
-
SHA512
7733d6836ceba7467d4925449297c69732e2ec5da9a6c93089deb2cecf2053726c6a91588a5255a71fbfd76bd8af89c74dab1a4ee19ee09ed6f88c3ff333582a
-
SSDEEP
384:2LuFFWP0CDZwnXmIQXkj90jEwmFterkSuldsP3NBa6Ml7AQk93vmhm7UMKmIEec1:wnRICol7A/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
nomorelife15.ddns.net:9999
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 1196 Payload.exe -
Drops startup file 4 IoCs
Processes:
a258fbc6346a5c5fcc28480a601d284c.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk a258fbc6346a5c5fcc28480a601d284c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
a258fbc6346a5c5fcc28480a601d284c.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Payload.exe" a258fbc6346a5c5fcc28480a601d284c.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Drops file in Windows directory 2 IoCs
Processes:
a258fbc6346a5c5fcc28480a601d284c.exeattrib.exedescription ioc process File created C:\Windows\Payload.exe a258fbc6346a5c5fcc28480a601d284c.exe File opened for modification C:\Windows\Payload.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe Token: 33 1196 Payload.exe Token: SeIncBasePriorityPrivilege 1196 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a258fbc6346a5c5fcc28480a601d284c.exedescription pid process target process PID 1996 wrote to memory of 1196 1996 a258fbc6346a5c5fcc28480a601d284c.exe Payload.exe PID 1996 wrote to memory of 1196 1996 a258fbc6346a5c5fcc28480a601d284c.exe Payload.exe PID 1996 wrote to memory of 1196 1996 a258fbc6346a5c5fcc28480a601d284c.exe Payload.exe PID 1996 wrote to memory of 1196 1996 a258fbc6346a5c5fcc28480a601d284c.exe Payload.exe PID 1996 wrote to memory of 1800 1996 a258fbc6346a5c5fcc28480a601d284c.exe attrib.exe PID 1996 wrote to memory of 1800 1996 a258fbc6346a5c5fcc28480a601d284c.exe attrib.exe PID 1996 wrote to memory of 1800 1996 a258fbc6346a5c5fcc28480a601d284c.exe attrib.exe PID 1996 wrote to memory of 1800 1996 a258fbc6346a5c5fcc28480a601d284c.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a258fbc6346a5c5fcc28480a601d284c.exe"C:\Users\Admin\AppData\Local\Temp\a258fbc6346a5c5fcc28480a601d284c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\Payload.exe"2⤵
- Drops file in Windows directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD58c85f2dfe8e56c8c5b4fd081873a985b
SHA193637c5c22106b35a2595f52bb32fcd655d046d9
SHA256a1f4fa7b2e83f8c1fe5933b1e5b20e3f985d4583e715edc6a96d8123f171b440
SHA5125e5b7c35221a842774f320f3690e699bde307eaf9ed2fadbe7143b9bfbead0fac05eba15992ae5f7ead7625672eeb130f3d615666d47aa55e010c132c0a47758
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1014B
MD5266a48cd8f9ff6e13decb003c0743c4b
SHA1b42aa3e1114f210215ec73293d27fd1598476a21
SHA25667e393c4e1ff5627534023421f5db1e8c30b40412de14df5b24c1bfb7ec648ee
SHA5129b9acc6f39006a4369b6b84ec9ec1af4c82f2bb3540f9b8c0fc930beccdbff3b1e45025d8b268146afd655547af170452e22a4318dd3bc9a87a53d2888cf2546
-
C:\Windows\Payload.exeFilesize
27KB
MD5a258fbc6346a5c5fcc28480a601d284c
SHA1d579a1a2d1e79885ad80d4b3eb4d1a294f205399
SHA256c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da
SHA5127733d6836ceba7467d4925449297c69732e2ec5da9a6c93089deb2cecf2053726c6a91588a5255a71fbfd76bd8af89c74dab1a4ee19ee09ed6f88c3ff333582a
-
C:\Windows\Payload.exeFilesize
27KB
MD5a258fbc6346a5c5fcc28480a601d284c
SHA1d579a1a2d1e79885ad80d4b3eb4d1a294f205399
SHA256c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da
SHA5127733d6836ceba7467d4925449297c69732e2ec5da9a6c93089deb2cecf2053726c6a91588a5255a71fbfd76bd8af89c74dab1a4ee19ee09ed6f88c3ff333582a
-
memory/1196-56-0x0000000000000000-mapping.dmp
-
memory/1196-64-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1196-65-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1800-62-0x0000000000000000-mapping.dmp
-
memory/1996-54-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1996-63-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB