Analysis
-
max time kernel
150s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:37
Behavioral task
behavioral1
Sample
71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe
Resource
win10v2004-20220812-en
General
-
Target
71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe
-
Size
23KB
-
MD5
6cc60294257416803c36384bfb1fdfd0
-
SHA1
ce662ea4f2fa58ee81db8338b489bf47a8583796
-
SHA256
71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed
-
SHA512
5963541784376474df9d0af10b418f35287637acd4de20b415984975c4199cfd1dc4af60b602edbc58e4bfa2c12e73b962271ff54c1a7c9af609e9161558b067
-
SSDEEP
384:nsqCm6yocx/Yp7jemiO0nd08/VQ6bgNQC5h7tmRvR6JZlbw8hqIusZzZBs:8SoQA6mlcrRpcnuR
Malware Config
Extracted
njrat
0.7d
HacKed
ahmadhamodd2.no-ip.biz:3321
609ac4547a4f541c744b04c437ad5428
-
reg_key
609ac4547a4f541c744b04c437ad5428
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
googil.exepid process 1672 googil.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
googil.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\609ac4547a4f541c744b04c437ad5428.exe googil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\609ac4547a4f541c744b04c437ad5428.exe googil.exe -
Loads dropped DLL 1 IoCs
Processes:
71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exepid process 1132 71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
googil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\609ac4547a4f541c744b04c437ad5428 = "\"C:\\ProgramData\\googil.exe\" .." googil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\609ac4547a4f541c744b04c437ad5428 = "\"C:\\ProgramData\\googil.exe\" .." googil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
googil.exedescription pid process Token: SeDebugPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe Token: 33 1672 googil.exe Token: SeIncBasePriorityPrivilege 1672 googil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exegoogil.exedescription pid process target process PID 1132 wrote to memory of 1672 1132 71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe googil.exe PID 1132 wrote to memory of 1672 1132 71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe googil.exe PID 1132 wrote to memory of 1672 1132 71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe googil.exe PID 1132 wrote to memory of 1672 1132 71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe googil.exe PID 1672 wrote to memory of 1596 1672 googil.exe netsh.exe PID 1672 wrote to memory of 1596 1672 googil.exe netsh.exe PID 1672 wrote to memory of 1596 1672 googil.exe netsh.exe PID 1672 wrote to memory of 1596 1672 googil.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe"C:\Users\Admin\AppData\Local\Temp\71cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\googil.exe"C:\ProgramData\googil.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\googil.exe" "googil.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\googil.exeFilesize
23KB
MD56cc60294257416803c36384bfb1fdfd0
SHA1ce662ea4f2fa58ee81db8338b489bf47a8583796
SHA25671cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed
SHA5125963541784376474df9d0af10b418f35287637acd4de20b415984975c4199cfd1dc4af60b602edbc58e4bfa2c12e73b962271ff54c1a7c9af609e9161558b067
-
C:\ProgramData\googil.exeFilesize
23KB
MD56cc60294257416803c36384bfb1fdfd0
SHA1ce662ea4f2fa58ee81db8338b489bf47a8583796
SHA25671cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed
SHA5125963541784376474df9d0af10b418f35287637acd4de20b415984975c4199cfd1dc4af60b602edbc58e4bfa2c12e73b962271ff54c1a7c9af609e9161558b067
-
\ProgramData\googil.exeFilesize
23KB
MD56cc60294257416803c36384bfb1fdfd0
SHA1ce662ea4f2fa58ee81db8338b489bf47a8583796
SHA25671cf8584c6fc6ea5e76da576e4cebb0a5088fa3b7ea3ab268308a624a104b4ed
SHA5125963541784376474df9d0af10b418f35287637acd4de20b415984975c4199cfd1dc4af60b602edbc58e4bfa2c12e73b962271ff54c1a7c9af609e9161558b067
-
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1132-55-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1132-61-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1596-63-0x0000000000000000-mapping.dmp
-
memory/1672-57-0x0000000000000000-mapping.dmp
-
memory/1672-62-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1672-65-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB