Analysis
-
max time kernel
156s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 21:56
Static task
static1
Behavioral task
behavioral1
Sample
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe
Resource
win10v2004-20220812-en
General
-
Target
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe
-
Size
32KB
-
MD5
90f5a408048f5bd6803a98331cded120
-
SHA1
a9ccc979131258242d80d3dbab2c41fb3d7511ed
-
SHA256
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5
-
SHA512
45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3
-
SSDEEP
768:UfLjXHlL0vNcof4t08X+dk4FglrAHhd0AQvxCx:UfH3lLY4L4kWnusx
Malware Config
Extracted
njrat
0.7d
HacKed
loaimajdi.no-ip.biz:5552
10ce81ee12043fcd07c0abe92db49633
-
reg_key
10ce81ee12043fcd07c0abe92db49633
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
internet downlood manger.exepid process 1404 internet downlood manger.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
internet downlood manger.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\10ce81ee12043fcd07c0abe92db49633 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\internet downlood manger.exe\" .." internet downlood manger.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10ce81ee12043fcd07c0abe92db49633 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\internet downlood manger.exe\" .." internet downlood manger.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
internet downlood manger.exedescription pid process Token: SeDebugPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe Token: 33 1404 internet downlood manger.exe Token: SeIncBasePriorityPrivilege 1404 internet downlood manger.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exeinternet downlood manger.exedescription pid process target process PID 1412 wrote to memory of 1404 1412 afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe internet downlood manger.exe PID 1412 wrote to memory of 1404 1412 afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe internet downlood manger.exe PID 1412 wrote to memory of 1404 1412 afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe internet downlood manger.exe PID 1404 wrote to memory of 2020 1404 internet downlood manger.exe netsh.exe PID 1404 wrote to memory of 2020 1404 internet downlood manger.exe netsh.exe PID 1404 wrote to memory of 2020 1404 internet downlood manger.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe"C:\Users\Admin\AppData\Local\Temp\afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe"C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe" "internet downlood manger.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exeFilesize
32KB
MD590f5a408048f5bd6803a98331cded120
SHA1a9ccc979131258242d80d3dbab2c41fb3d7511ed
SHA256afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5
SHA51245c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3
-
C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exeFilesize
32KB
MD590f5a408048f5bd6803a98331cded120
SHA1a9ccc979131258242d80d3dbab2c41fb3d7511ed
SHA256afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5
SHA51245c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3
-
memory/1404-58-0x0000000000000000-mapping.dmp
-
memory/1404-61-0x0000000001320000-0x000000000132E000-memory.dmpFilesize
56KB
-
memory/1412-54-0x0000000000D10000-0x0000000000D1E000-memory.dmpFilesize
56KB
-
memory/1412-55-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB
-
memory/1412-56-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/1412-57-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB
-
memory/2020-62-0x0000000000000000-mapping.dmp