57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe
Size

262KB
MD5

808e73257a72ac25cc88f950a8551540
SHA1

7f1d9fb6a444d3faddd8a45480be8e8e9c3a8c67
SHA256

57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e
SHA512

bb37216d75c87ab3ff7283af270a7d5558e0976a15680438a082d91805cd8ee7342002b8f98b440144821b677990ff461bf6bb8f69cd8ae385a9238c5795e86b
SSDEEP

6144:b1dlZro5yD9YWSHyx5TKdcGhvJOzDTlO6JfLL:b1dlZo5yRsKocKJOzX3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	NjRat 0.5.0.exe

Loads dropped DLL 3 IoCs

pid	Process
1752	57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe
1752	57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe
1660	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1716	1752	57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe	28
PID 1752 wrote to memory of 1716	1752	57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe	28
PID 1752 wrote to memory of 1716	1752	57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe	28
PID 1752 wrote to memory of 1716	1752	57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe	28
PID 1716 wrote to memory of 1660	1716	NjRat 0.5.0.exe	29
PID 1716 wrote to memory of 1660	1716	NjRat 0.5.0.exe	29
PID 1716 wrote to memory of 1660	1716	NjRat 0.5.0.exe	29
PID 1716 wrote to memory of 1660	1716	NjRat 0.5.0.exe	29

C:\Users\Admin\AppData\Local\Temp\57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe
"C:\Users\Admin\AppData\Local\Temp\57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Extracted\NjRat 0.5.0.exe
  "C:\Extracted\NjRat 0.5.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 448
    3⤵
    - Loads dropped DLL
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\NjRat 0.5.0.exe

Filesize
216KB

MD5
630ccd444d5919d31cc7d7b921afabfa

SHA1
65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

SHA256
6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

SHA512
fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

Download Submit
C:\Extracted\NjRat 0.5.0.exe

Filesize
216KB

MD5
630ccd444d5919d31cc7d7b921afabfa

SHA1
65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

SHA256
6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

SHA512
fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

Download Submit
\Extracted\NjRat 0.5.0.exe

Filesize
216KB

MD5
630ccd444d5919d31cc7d7b921afabfa

SHA1
65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

SHA256
6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

SHA512
fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

Download Submit
\Extracted\NjRat 0.5.0.exe

Filesize
216KB

MD5
630ccd444d5919d31cc7d7b921afabfa

SHA1
65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

SHA256
6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

SHA512
fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

Download Submit
\Extracted\NjRat 0.5.0.exe

Filesize
216KB

MD5
630ccd444d5919d31cc7d7b921afabfa

SHA1
65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

SHA256
6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

SHA512
fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

Download Submit
memory/1716-61-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-65-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download