Analysis
-
max time kernel
174s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 14:13
Behavioral task
behavioral1
Sample
11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe
Resource
win10v2004-20220812-en
General
-
Target
11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe
-
Size
29KB
-
MD5
634ab053307a90fe48245b72292180a0
-
SHA1
9f0e59ddeeffa2b280b8f3379902022179521ef2
-
SHA256
11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79
-
SHA512
f8e94ac7fe9f6b37be2e0b5262e43a8bcd76a898d6c910e0ddff38eaf58760fa258e7a17128e66e3edecc91fd8faf8be84228dcfaf6cf2fab8c0cd3520c2f6e5
-
SSDEEP
768:GrD71oGc1FRVp74q2HesBKh0p29SgRHO:kD71IPkjZKhG29jHO
Malware Config
Extracted
njrat
0.6.4
HacKed
feras9999.no-ip.biz:1177
d5a38e9b5f206c41f8851bf04a251d26
-
reg_key
d5a38e9b5f206c41f8851bf04a251d26
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 892 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exepid process 1680 11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
chrome.exepid process 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe 892 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 892 chrome.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exechrome.exedescription pid process target process PID 1680 wrote to memory of 892 1680 11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe chrome.exe PID 1680 wrote to memory of 892 1680 11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe chrome.exe PID 1680 wrote to memory of 892 1680 11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe chrome.exe PID 1680 wrote to memory of 892 1680 11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe chrome.exe PID 892 wrote to memory of 1976 892 chrome.exe netsh.exe PID 892 wrote to memory of 1976 892 chrome.exe netsh.exe PID 892 wrote to memory of 1976 892 chrome.exe netsh.exe PID 892 wrote to memory of 1976 892 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe"C:\Users\Admin\AppData\Local\Temp\11695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
29KB
MD5634ab053307a90fe48245b72292180a0
SHA19f0e59ddeeffa2b280b8f3379902022179521ef2
SHA25611695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79
SHA512f8e94ac7fe9f6b37be2e0b5262e43a8bcd76a898d6c910e0ddff38eaf58760fa258e7a17128e66e3edecc91fd8faf8be84228dcfaf6cf2fab8c0cd3520c2f6e5
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
29KB
MD5634ab053307a90fe48245b72292180a0
SHA19f0e59ddeeffa2b280b8f3379902022179521ef2
SHA25611695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79
SHA512f8e94ac7fe9f6b37be2e0b5262e43a8bcd76a898d6c910e0ddff38eaf58760fa258e7a17128e66e3edecc91fd8faf8be84228dcfaf6cf2fab8c0cd3520c2f6e5
-
\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
29KB
MD5634ab053307a90fe48245b72292180a0
SHA19f0e59ddeeffa2b280b8f3379902022179521ef2
SHA25611695dc77d6971a58cba9b2230eee1dea2f6f36064ea44fee33a6361d24c4e79
SHA512f8e94ac7fe9f6b37be2e0b5262e43a8bcd76a898d6c910e0ddff38eaf58760fa258e7a17128e66e3edecc91fd8faf8be84228dcfaf6cf2fab8c0cd3520c2f6e5
-
memory/892-56-0x0000000000000000-mapping.dmp
-
memory/892-64-0x0000000074E90000-0x000000007543B000-memory.dmpFilesize
5.7MB
-
memory/892-65-0x0000000074E90000-0x000000007543B000-memory.dmpFilesize
5.7MB
-
memory/1680-54-0x0000000075921000-0x0000000075923000-memory.dmpFilesize
8KB
-
memory/1680-58-0x0000000074E90000-0x000000007543B000-memory.dmpFilesize
5.7MB
-
memory/1680-62-0x0000000074E90000-0x000000007543B000-memory.dmpFilesize
5.7MB
-
memory/1976-61-0x0000000000000000-mapping.dmp