Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 06:09
Behavioral task
behavioral1
Sample
36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe
Resource
win10v2004-20220901-en
General
-
Target
36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe
-
Size
23KB
-
MD5
7c7c238e6dd52845112c299d914fd060
-
SHA1
38f816cfc0456892e2af0813b6123bddfe7d137a
-
SHA256
36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e
-
SHA512
b0a8b7fbaece30cf799154f095fb9d8904b3ce176c3b0aecf2bdf5825754547c089fb2e66a44c226de69925891a1774a8eb8a81d6552f1a002b70c3903082229
-
SSDEEP
384:JQ+ILgIbOprgPsUOSU0kB1kd6dg7GYh/JomRvR6JZlbw8hqIusZzZsSH:8LL6MVU0NRpcnu6
Malware Config
Extracted
njrat
0.7d
7
judo50.sytes.net:200
83390fd039c609d3df6e0d1261c35777
-
reg_key
83390fd039c609d3df6e0d1261c35777
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cmd.exepid process 2028 cmd.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exepid process 1292 36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\83390fd039c609d3df6e0d1261c35777 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.exe\" .." cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\83390fd039c609d3df6e0d1261c35777 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.exe\" .." cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
cmd.exedescription pid process Token: SeDebugPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe Token: 33 2028 cmd.exe Token: SeIncBasePriorityPrivilege 2028 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.execmd.exedescription pid process target process PID 1292 wrote to memory of 2028 1292 36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe cmd.exe PID 1292 wrote to memory of 2028 1292 36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe cmd.exe PID 1292 wrote to memory of 2028 1292 36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe cmd.exe PID 1292 wrote to memory of 2028 1292 36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe cmd.exe PID 2028 wrote to memory of 1932 2028 cmd.exe netsh.exe PID 2028 wrote to memory of 1932 2028 cmd.exe netsh.exe PID 2028 wrote to memory of 1932 2028 cmd.exe netsh.exe PID 2028 wrote to memory of 1932 2028 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe"C:\Users\Admin\AppData\Local\Temp\36f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "cmd.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeFilesize
23KB
MD57c7c238e6dd52845112c299d914fd060
SHA138f816cfc0456892e2af0813b6123bddfe7d137a
SHA25636f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e
SHA512b0a8b7fbaece30cf799154f095fb9d8904b3ce176c3b0aecf2bdf5825754547c089fb2e66a44c226de69925891a1774a8eb8a81d6552f1a002b70c3903082229
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeFilesize
23KB
MD57c7c238e6dd52845112c299d914fd060
SHA138f816cfc0456892e2af0813b6123bddfe7d137a
SHA25636f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e
SHA512b0a8b7fbaece30cf799154f095fb9d8904b3ce176c3b0aecf2bdf5825754547c089fb2e66a44c226de69925891a1774a8eb8a81d6552f1a002b70c3903082229
-
\Users\Admin\AppData\Local\Temp\cmd.exeFilesize
23KB
MD57c7c238e6dd52845112c299d914fd060
SHA138f816cfc0456892e2af0813b6123bddfe7d137a
SHA25636f3522312d37afed37fb86396c48cf4bb444f8cb1c67f4adedcdedaae7d3c0e
SHA512b0a8b7fbaece30cf799154f095fb9d8904b3ce176c3b0aecf2bdf5825754547c089fb2e66a44c226de69925891a1774a8eb8a81d6552f1a002b70c3903082229
-
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmpFilesize
8KB
-
memory/1292-55-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB
-
memory/1292-61-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB
-
memory/1932-63-0x0000000000000000-mapping.dmp
-
memory/2028-57-0x0000000000000000-mapping.dmp
-
memory/2028-62-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB
-
memory/2028-65-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB