Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 20:22
Behavioral task
behavioral1
Sample
8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe
Resource
win10v2004-20220812-en
General
-
Target
8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe
-
Size
29KB
-
MD5
72abb4dbaefb2ea4d2f98350d34d6580
-
SHA1
dfc8f7f461461aaf85098c16ab487ee52668771a
-
SHA256
8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c
-
SHA512
5d51ca5330111ebc1d7cce12c8fe34733ee23551593c69a313c7b0c08aff0d7cf87431c70d3fe0b3709606f0c4867a8c48268db7a41d1876f3657152081fb089
-
SSDEEP
768:YZ7nMsanzR+2cqEDveyBKh0p29SgRjF7:W7nSQtD7KhG29jB7
Malware Config
Extracted
njrat
0.6.4
HacKed
medo01010.no-ip.info:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 1952 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exepid process 1648 8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Trojan.exepid process 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe 1952 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 1952 Trojan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exeTrojan.exedescription pid process target process PID 1648 wrote to memory of 1952 1648 8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe Trojan.exe PID 1648 wrote to memory of 1952 1648 8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe Trojan.exe PID 1648 wrote to memory of 1952 1648 8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe Trojan.exe PID 1648 wrote to memory of 1952 1648 8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe Trojan.exe PID 1952 wrote to memory of 1288 1952 Trojan.exe netsh.exe PID 1952 wrote to memory of 1288 1952 Trojan.exe netsh.exe PID 1952 wrote to memory of 1288 1952 Trojan.exe netsh.exe PID 1952 wrote to memory of 1288 1952 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe"C:\Users\Admin\AppData\Local\Temp\8769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD572abb4dbaefb2ea4d2f98350d34d6580
SHA1dfc8f7f461461aaf85098c16ab487ee52668771a
SHA2568769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c
SHA5125d51ca5330111ebc1d7cce12c8fe34733ee23551593c69a313c7b0c08aff0d7cf87431c70d3fe0b3709606f0c4867a8c48268db7a41d1876f3657152081fb089
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD572abb4dbaefb2ea4d2f98350d34d6580
SHA1dfc8f7f461461aaf85098c16ab487ee52668771a
SHA2568769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c
SHA5125d51ca5330111ebc1d7cce12c8fe34733ee23551593c69a313c7b0c08aff0d7cf87431c70d3fe0b3709606f0c4867a8c48268db7a41d1876f3657152081fb089
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD572abb4dbaefb2ea4d2f98350d34d6580
SHA1dfc8f7f461461aaf85098c16ab487ee52668771a
SHA2568769fd1919c424e928ef6062c46508d66057bb1d06ec1a3e82dcdc4dfd41202c
SHA5125d51ca5330111ebc1d7cce12c8fe34733ee23551593c69a313c7b0c08aff0d7cf87431c70d3fe0b3709606f0c4867a8c48268db7a41d1876f3657152081fb089
-
memory/1288-60-0x0000000000000000-mapping.dmp
-
memory/1648-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1648-61-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1952-56-0x0000000000000000-mapping.dmp
-
memory/1952-62-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1952-64-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB