Analysis
-
max time kernel
149s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
Resource
win7-20220901-en
General
-
Target
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
-
Size
289KB
-
MD5
61515ba9633ff41d3fa44d5ff837c460
-
SHA1
83623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
-
SHA256
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
-
SHA512
234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
SSDEEP
3072:FB/o6kBWW71YYd9mE6qTW59cbX/lqmqb/9kdR4cBtVIzKkes5RPdmDwgd4Ujepq0:Y/BC5
Malware Config
Extracted
njrat
0.6.4
HACKED
hasniimed.no-ip.biz:1177
9e07d5f15e8eb1f15f646580801c5439
-
reg_key
9e07d5f15e8eb1f15f646580801c5439
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hack.exe.exehack.exe.exepid process 864 hack.exe.exe 1744 hack.exe.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 2 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exehack.exe.exepid process 948 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe 864 hack.exe.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hack.exe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e07d5f15e8eb1f15f646580801c5439 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hack.exe.exe\" .." hack.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9e07d5f15e8eb1f15f646580801c5439 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hack.exe.exe\" .." hack.exe.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exehack.exe.exedescription pid process target process PID 1380 set thread context of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 864 set thread context of 1744 864 hack.exe.exe hack.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
hack.exe.exepid process 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe 1744 hack.exe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exehack.exe.exehack.exe.exedescription pid process Token: SeDebugPrivilege 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe Token: SeDebugPrivilege 864 hack.exe.exe Token: SeDebugPrivilege 1744 hack.exe.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exeb9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exehack.exe.exehack.exe.exedescription pid process target process PID 1380 wrote to memory of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 1380 wrote to memory of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 1380 wrote to memory of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 1380 wrote to memory of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 1380 wrote to memory of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 1380 wrote to memory of 948 1380 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 948 wrote to memory of 864 948 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 948 wrote to memory of 864 948 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 948 wrote to memory of 864 948 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 948 wrote to memory of 864 948 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 864 wrote to memory of 1744 864 hack.exe.exe hack.exe.exe PID 864 wrote to memory of 1744 864 hack.exe.exe hack.exe.exe PID 864 wrote to memory of 1744 864 hack.exe.exe hack.exe.exe PID 864 wrote to memory of 1744 864 hack.exe.exe hack.exe.exe PID 864 wrote to memory of 1744 864 hack.exe.exe hack.exe.exe PID 864 wrote to memory of 1744 864 hack.exe.exe hack.exe.exe PID 1744 wrote to memory of 1128 1744 hack.exe.exe netsh.exe PID 1744 wrote to memory of 1128 1744 hack.exe.exe netsh.exe PID 1744 wrote to memory of 1128 1744 hack.exe.exe netsh.exe PID 1744 wrote to memory of 1128 1744 hack.exe.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe"C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exeC:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeC:\Users\Admin\AppData\Local\Temp\hack.exe.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hack.exe.exe" "hack.exe.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
memory/864-81-0x0000000004CC5000-0x0000000004CD6000-memory.dmpFilesize
68KB
-
memory/864-66-0x0000000000000000-mapping.dmp
-
memory/864-69-0x0000000000390000-0x00000000003DE000-memory.dmpFilesize
312KB
-
memory/948-57-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/948-60-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/948-62-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/948-58-0x0000000000408B0E-mapping.dmp
-
memory/1128-79-0x0000000000000000-mapping.dmp
-
memory/1380-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1380-54-0x0000000000910000-0x000000000095E000-memory.dmpFilesize
312KB
-
memory/1380-56-0x0000000000390000-0x000000000039A000-memory.dmpFilesize
40KB
-
memory/1380-64-0x0000000004A35000-0x0000000004A46000-memory.dmpFilesize
68KB
-
memory/1744-73-0x0000000000408B0E-mapping.dmp
-
memory/1744-83-0x0000000005055000-0x0000000005066000-memory.dmpFilesize
68KB
-
memory/1744-84-0x0000000005055000-0x0000000005066000-memory.dmpFilesize
68KB