Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Resource
win10v2004-20220812-en
General
-
Target
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
-
Size
131KB
-
MD5
93c3392b91669a01cceb599296c3c2b0
-
SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be
-
SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
-
SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
SSDEEP
3072:O/fCCPsG9etK87u1JdYVU10PIutREBO9qYDHa4rCcBM2v:OjP2KEhUWPIuPEOAYD64xf
Malware Config
Extracted
njrat
0.7d
yahoo
127.0.0.1:5552
c20dc55207710c29d1db3ad3160138a1
-
reg_key
c20dc55207710c29d1db3ad3160138a1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
yahoo.exepid process 1724 yahoo.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exepid process 1520 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
yahoo.exedescription pid process Token: SeDebugPrivilege 1724 yahoo.exe Token: 33 1724 yahoo.exe Token: SeIncBasePriorityPrivilege 1724 yahoo.exe Token: 33 1724 yahoo.exe Token: SeIncBasePriorityPrivilege 1724 yahoo.exe Token: 33 1724 yahoo.exe Token: SeIncBasePriorityPrivilege 1724 yahoo.exe Token: 33 1724 yahoo.exe Token: SeIncBasePriorityPrivilege 1724 yahoo.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exeyahoo.exedescription pid process target process PID 1520 wrote to memory of 1724 1520 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe PID 1520 wrote to memory of 1724 1520 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe PID 1520 wrote to memory of 1724 1520 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe PID 1520 wrote to memory of 1724 1520 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe PID 1724 wrote to memory of 1924 1724 yahoo.exe netsh.exe PID 1724 wrote to memory of 1924 1724 yahoo.exe netsh.exe PID 1724 wrote to memory of 1924 1724 yahoo.exe netsh.exe PID 1724 wrote to memory of 1924 1724 yahoo.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe"C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exe"C:\Users\Admin\AppData\Local\Temp\yahoo.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yahoo.exe" "yahoo.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
131KB
MD593c3392b91669a01cceb599296c3c2b0
SHA1fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
131KB
MD593c3392b91669a01cceb599296c3c2b0
SHA1fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
131KB
MD593c3392b91669a01cceb599296c3c2b0
SHA1fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
memory/1520-54-0x0000000000210000-0x0000000000236000-memory.dmpFilesize
152KB
-
memory/1520-55-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB
-
memory/1520-56-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/1520-57-0x0000000001D10000-0x0000000001D38000-memory.dmpFilesize
160KB
-
memory/1520-58-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/1724-60-0x0000000000000000-mapping.dmp
-
memory/1724-63-0x0000000000150000-0x0000000000176000-memory.dmpFilesize
152KB
-
memory/1924-65-0x0000000000000000-mapping.dmp