Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:26
Static task
static1
Behavioral task
behavioral1
Sample
310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe
Resource
win10v2004-20220812-en
General
-
Target
310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe
-
Size
200KB
-
MD5
66e84153d32a83fc6bddb60b67de2640
-
SHA1
730408f28dc20362eb02f683a288ae853bfd8476
-
SHA256
310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976
-
SHA512
a00d96f90610c1376832518c11b9bc2a3e9a497be6a95342788b87a6731704605fdc3bfbc2b4b2e633d5798b0dd2efa6fe53578bec9576b2c6ab5ab7e98e7437
-
SSDEEP
1536:WSotYbj6iGuhiHpabOU81c57KPCYYX5uAgqHFjdVlrO2FdvSKUxsy/bQ6Ar3:WSoabWWigOU8c7DZJrOodvTUxFVAr3
Malware Config
Extracted
njrat
0.6.4
HacKed
127.0.0.1:1177
ba4c12bee3027d94da5c81db2d196bfd
-
reg_key
ba4c12bee3027d94da5c81db2d196bfd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Gerenciador De Audio Do Windows.exepid process 1492 Gerenciador De Audio Do Windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Gerenciador De Audio Do Windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe Gerenciador De Audio Do Windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe Gerenciador De Audio Do Windows.exe -
Loads dropped DLL 1 IoCs
Processes:
310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exepid process 1004 310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Gerenciador De Audio Do Windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gerenciador De Audio Do Windows.exe\" .." Gerenciador De Audio Do Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gerenciador De Audio Do Windows.exe\" .." Gerenciador De Audio Do Windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Gerenciador De Audio Do Windows.exepid process 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe 1492 Gerenciador De Audio Do Windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Gerenciador De Audio Do Windows.exedescription pid process Token: SeDebugPrivilege 1492 Gerenciador De Audio Do Windows.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exeGerenciador De Audio Do Windows.exedescription pid process target process PID 1004 wrote to memory of 1492 1004 310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe Gerenciador De Audio Do Windows.exe PID 1004 wrote to memory of 1492 1004 310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe Gerenciador De Audio Do Windows.exe PID 1004 wrote to memory of 1492 1004 310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe Gerenciador De Audio Do Windows.exe PID 1004 wrote to memory of 1492 1004 310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe Gerenciador De Audio Do Windows.exe PID 1492 wrote to memory of 956 1492 Gerenciador De Audio Do Windows.exe netsh.exe PID 1492 wrote to memory of 956 1492 Gerenciador De Audio Do Windows.exe netsh.exe PID 1492 wrote to memory of 956 1492 Gerenciador De Audio Do Windows.exe netsh.exe PID 1492 wrote to memory of 956 1492 Gerenciador De Audio Do Windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe"C:\Users\Admin\AppData\Local\Temp\310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe"C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe" "Gerenciador De Audio Do Windows.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exeFilesize
29KB
MD5c450ec14f481075219631a00657111a6
SHA1c5238b0b790a4648db2c329362a26fb520d92f13
SHA256a80722d4d3a83545e1b724c287f0be3d83196f17b884104d4cfcfb30a11d8499
SHA51220652659c089e64b6e917a2960db8470988a3ffd87966338e7b4a2ccbbeca6fe2bce15a5f2a050429a3da8b1dbc6a389901fe4c96e00b74fc55f6a1e59d1864a
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exeFilesize
29KB
MD5c450ec14f481075219631a00657111a6
SHA1c5238b0b790a4648db2c329362a26fb520d92f13
SHA256a80722d4d3a83545e1b724c287f0be3d83196f17b884104d4cfcfb30a11d8499
SHA51220652659c089e64b6e917a2960db8470988a3ffd87966338e7b4a2ccbbeca6fe2bce15a5f2a050429a3da8b1dbc6a389901fe4c96e00b74fc55f6a1e59d1864a
-
\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exeFilesize
29KB
MD5c450ec14f481075219631a00657111a6
SHA1c5238b0b790a4648db2c329362a26fb520d92f13
SHA256a80722d4d3a83545e1b724c287f0be3d83196f17b884104d4cfcfb30a11d8499
SHA51220652659c089e64b6e917a2960db8470988a3ffd87966338e7b4a2ccbbeca6fe2bce15a5f2a050429a3da8b1dbc6a389901fe4c96e00b74fc55f6a1e59d1864a
-
memory/956-64-0x0000000000000000-mapping.dmp
-
memory/1004-54-0x0000000001090000-0x00000000010A8000-memory.dmpFilesize
96KB
-
memory/1004-55-0x00000000004B0000-0x00000000004F0000-memory.dmpFilesize
256KB
-
memory/1004-56-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1004-61-0x0000000004805000-0x0000000004816000-memory.dmpFilesize
68KB
-
memory/1492-58-0x0000000000000000-mapping.dmp
-
memory/1492-63-0x000000006F370000-0x000000006F91B000-memory.dmpFilesize
5.7MB
-
memory/1492-66-0x000000006F370000-0x000000006F91B000-memory.dmpFilesize
5.7MB