Analysis
-
max time kernel
34s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 22:44
Behavioral task
behavioral1
Sample
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
Resource
win7-20220812-en
General
-
Target
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
-
Size
29KB
-
MD5
6653deab44e0c1931da98843a74d52b0
-
SHA1
3412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
-
SHA256
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
-
SHA512
50d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
SSDEEP
384:ugJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOZo:K7nMsanzR+2cqEDveyBKh0p29SgRuz
Malware Config
Extracted
njrat
0.6.4
HacKed
trojanhackninja.ddns.net:2015
5607fa2f78a79f2f2e754f5a87fb64d1
-
reg_key
5607fa2f78a79f2f2e754f5a87fb64d1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
eZ.exepid process 1340 eZ.exe -
Loads dropped DLL 1 IoCs
Processes:
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exepid process 288 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exedescription pid process target process PID 288 wrote to memory of 1340 288 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe PID 288 wrote to memory of 1340 288 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe PID 288 wrote to memory of 1340 288 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe PID 288 wrote to memory of 1340 288 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe"C:\Users\Admin\AppData\Local\Temp\991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eZ.exe"C:\Users\Admin\AppData\Local\Temp\eZ.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eZ.exeFilesize
29KB
MD56653deab44e0c1931da98843a74d52b0
SHA13412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
SHA256991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
SHA51250d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
C:\Users\Admin\AppData\Local\Temp\eZ.exeFilesize
29KB
MD56653deab44e0c1931da98843a74d52b0
SHA13412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
SHA256991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
SHA51250d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
\Users\Admin\AppData\Local\Temp\eZ.exeFilesize
29KB
MD56653deab44e0c1931da98843a74d52b0
SHA13412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
SHA256991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
SHA51250d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
memory/288-54-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/288-60-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/1340-56-0x0000000000000000-mapping.dmp
-
memory/1340-61-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB