Analysis
-
max time kernel
23s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 20:31
Behavioral task
behavioral1
Sample
2f31e85aa9c78b6e90e11b5c5c03ca6c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2f31e85aa9c78b6e90e11b5c5c03ca6c.exe
Resource
win10v2004-20220812-en
General
-
Target
2f31e85aa9c78b6e90e11b5c5c03ca6c.exe
-
Size
37KB
-
MD5
2f31e85aa9c78b6e90e11b5c5c03ca6c
-
SHA1
9689697f566c5d213b6c2711fb7b24db200892ac
-
SHA256
4a6ba5a1b484be5e51bde495518b46f56abc53c34291551c25c3eb0c5e930d2a
-
SHA512
ac16652707cc8d8103e9e77ee9114c5020143afc9536d3d7800271a412e4ceef641fb1989f6e68383a262a10e4dd0e72cdc8fd326cef4747356e9d482f08698b
-
SSDEEP
384:afunz6dgibXjpPu7w9qyMTA3/r6s2cLrrAF+rMRTyN/0L+EcoinblneHQM3epzXZ:r+NN9ZMTA3W1cvrM+rMRa8NutXt
Malware Config
Extracted
njrat
im523
HacKed
8.tcp.ngrok.io:12006
e5b461e898ede89ab7bb3c41c44aaf10
-
reg_key
e5b461e898ede89ab7bb3c41c44aaf10
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Loader.exepid process 968 Loader.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
2f31e85aa9c78b6e90e11b5c5c03ca6c.exepid process 360 2f31e85aa9c78b6e90e11b5c5c03ca6c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2f31e85aa9c78b6e90e11b5c5c03ca6c.exeLoader.exedescription pid process target process PID 360 wrote to memory of 968 360 2f31e85aa9c78b6e90e11b5c5c03ca6c.exe Loader.exe PID 360 wrote to memory of 968 360 2f31e85aa9c78b6e90e11b5c5c03ca6c.exe Loader.exe PID 360 wrote to memory of 968 360 2f31e85aa9c78b6e90e11b5c5c03ca6c.exe Loader.exe PID 360 wrote to memory of 968 360 2f31e85aa9c78b6e90e11b5c5c03ca6c.exe Loader.exe PID 968 wrote to memory of 2028 968 Loader.exe netsh.exe PID 968 wrote to memory of 2028 968 Loader.exe netsh.exe PID 968 wrote to memory of 2028 968 Loader.exe netsh.exe PID 968 wrote to memory of 2028 968 Loader.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f31e85aa9c78b6e90e11b5c5c03ca6c.exe"C:\Users\Admin\AppData\Local\Temp\2f31e85aa9c78b6e90e11b5c5c03ca6c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Loader.exe" "Loader.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Loader.exeFilesize
37KB
MD52f31e85aa9c78b6e90e11b5c5c03ca6c
SHA19689697f566c5d213b6c2711fb7b24db200892ac
SHA2564a6ba5a1b484be5e51bde495518b46f56abc53c34291551c25c3eb0c5e930d2a
SHA512ac16652707cc8d8103e9e77ee9114c5020143afc9536d3d7800271a412e4ceef641fb1989f6e68383a262a10e4dd0e72cdc8fd326cef4747356e9d482f08698b
-
C:\Users\Admin\AppData\Roaming\Loader.exeFilesize
37KB
MD52f31e85aa9c78b6e90e11b5c5c03ca6c
SHA19689697f566c5d213b6c2711fb7b24db200892ac
SHA2564a6ba5a1b484be5e51bde495518b46f56abc53c34291551c25c3eb0c5e930d2a
SHA512ac16652707cc8d8103e9e77ee9114c5020143afc9536d3d7800271a412e4ceef641fb1989f6e68383a262a10e4dd0e72cdc8fd326cef4747356e9d482f08698b
-
\Users\Admin\AppData\Roaming\Loader.exeFilesize
37KB
MD52f31e85aa9c78b6e90e11b5c5c03ca6c
SHA19689697f566c5d213b6c2711fb7b24db200892ac
SHA2564a6ba5a1b484be5e51bde495518b46f56abc53c34291551c25c3eb0c5e930d2a
SHA512ac16652707cc8d8103e9e77ee9114c5020143afc9536d3d7800271a412e4ceef641fb1989f6e68383a262a10e4dd0e72cdc8fd326cef4747356e9d482f08698b
-
memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/360-55-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/360-61-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/968-62-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/968-57-0x0000000000000000-mapping.dmp
-
memory/968-65-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2028-63-0x0000000000000000-mapping.dmp