Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:03
Static task
static1
Behavioral task
behavioral1
Sample
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe
Resource
win10v2004-20220812-en
General
-
Target
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe
-
Size
90KB
-
MD5
6e294fcc1cd9475d14bbcb752a1c2a00
-
SHA1
e837a35ed5fb77b85b613ed6f9d51181f0dbe370
-
SHA256
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
-
SHA512
5d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
SSDEEP
1536:j/EOtUMnDUi8Tw/pmcqQxPHdQN543awuCIcv1kV7E0yWgx6k+xxg:jVtznD0c/EQFaQKrceV7EXqBxxg
Malware Config
Extracted
njrat
0.7d
HacKed
qquuali.ddns.net:1177
337410fe1de3aa7d2d73b9cb00bd0f85
-
reg_key
337410fe1de3aa7d2d73b9cb00bd0f85
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hack Facebook.exepid process 2040 Hack Facebook.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exepid process 1960 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Hack Facebook.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\337410fe1de3aa7d2d73b9cb00bd0f85 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hack Facebook.exe\" .." Hack Facebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\337410fe1de3aa7d2d73b9cb00bd0f85 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hack Facebook.exe\" .." Hack Facebook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Hack Facebook.exedescription pid process Token: SeDebugPrivilege 2040 Hack Facebook.exe Token: 33 2040 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 2040 Hack Facebook.exe Token: 33 2040 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 2040 Hack Facebook.exe Token: 33 2040 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 2040 Hack Facebook.exe Token: 33 2040 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 2040 Hack Facebook.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exeHack Facebook.exedescription pid process target process PID 1960 wrote to memory of 2040 1960 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 1960 wrote to memory of 2040 1960 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 1960 wrote to memory of 2040 1960 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 1960 wrote to memory of 2040 1960 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 2040 wrote to memory of 888 2040 Hack Facebook.exe netsh.exe PID 2040 wrote to memory of 888 2040 Hack Facebook.exe netsh.exe PID 2040 wrote to memory of 888 2040 Hack Facebook.exe netsh.exe PID 2040 wrote to memory of 888 2040 Hack Facebook.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe"C:\Users\Admin\AppData\Local\Temp\138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exe"C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exe" "Hack Facebook.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exeFilesize
90KB
MD56e294fcc1cd9475d14bbcb752a1c2a00
SHA1e837a35ed5fb77b85b613ed6f9d51181f0dbe370
SHA256138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
SHA5125d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exeFilesize
90KB
MD56e294fcc1cd9475d14bbcb752a1c2a00
SHA1e837a35ed5fb77b85b613ed6f9d51181f0dbe370
SHA256138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
SHA5125d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
\Users\Admin\AppData\Local\Temp\Hack Facebook.exeFilesize
90KB
MD56e294fcc1cd9475d14bbcb752a1c2a00
SHA1e837a35ed5fb77b85b613ed6f9d51181f0dbe370
SHA256138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
SHA5125d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
memory/888-65-0x0000000000000000-mapping.dmp
-
memory/1960-54-0x0000000001000000-0x000000000101C000-memory.dmpFilesize
112KB
-
memory/1960-55-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/1960-56-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/1960-57-0x0000000000320000-0x000000000033A000-memory.dmpFilesize
104KB
-
memory/1960-58-0x0000000000440000-0x000000000044C000-memory.dmpFilesize
48KB
-
memory/2040-60-0x0000000000000000-mapping.dmp
-
memory/2040-63-0x0000000000D40000-0x0000000000D5C000-memory.dmpFilesize
112KB