Analysis
-
max time kernel
115s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-11-2022 22:19
Static task
static1
Behavioral task
behavioral1
Sample
PO_Order_938340.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO_Order_938340.exe
Resource
win10v2004-20220812-en
General
-
Target
PO_Order_938340.exe
-
Size
10KB
-
MD5
8b482947f8aa69e7f21bb5d51c363135
-
SHA1
c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f
-
SHA256
fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5
-
SHA512
766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5
-
SSDEEP
192:b0EWlq8R7nEywHjhqfLL9ONRjKdg8stYcFmVc03KY:b0EWlq+7EywHkfLL9ONRCgptYcFmVc06
Malware Config
Extracted
njrat
v2.0
update
money2022.ddns.net:8080
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 704 update.exe -
Drops startup file 1 IoCs
Processes:
PO_Order_938340.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk PO_Order_938340.exe -
Loads dropped DLL 1 IoCs
Processes:
PO_Order_938340.exepid process 1916 PO_Order_938340.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PO_Order_938340.exePO_Order_938340.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ohtshj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cuyus\\Ohtshj.exe\"" PO_Order_938340.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" PO_Order_938340.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO_Order_938340.exedescription pid process target process PID 1088 set thread context of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2040 powershell.exe 1532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO_Order_938340.exepowershell.exeupdate.exepowershell.exedescription pid process Token: SeDebugPrivilege 1088 PO_Order_938340.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 704 update.exe Token: SeDebugPrivilege 1532 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
PO_Order_938340.exePO_Order_938340.exeupdate.exedescription pid process target process PID 1088 wrote to memory of 2040 1088 PO_Order_938340.exe powershell.exe PID 1088 wrote to memory of 2040 1088 PO_Order_938340.exe powershell.exe PID 1088 wrote to memory of 2040 1088 PO_Order_938340.exe powershell.exe PID 1088 wrote to memory of 2040 1088 PO_Order_938340.exe powershell.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1088 wrote to memory of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 704 1916 PO_Order_938340.exe update.exe PID 1916 wrote to memory of 1560 1916 PO_Order_938340.exe attrib.exe PID 1916 wrote to memory of 1560 1916 PO_Order_938340.exe attrib.exe PID 1916 wrote to memory of 1560 1916 PO_Order_938340.exe attrib.exe PID 1916 wrote to memory of 1560 1916 PO_Order_938340.exe attrib.exe PID 704 wrote to memory of 1532 704 update.exe powershell.exe PID 704 wrote to memory of 1532 704 update.exe powershell.exe PID 704 wrote to memory of 1532 704 update.exe powershell.exe PID 704 wrote to memory of 1532 704 update.exe powershell.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe"C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exeC:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD561ccfb904e2c4c4ec98c0110a941276a
SHA180cd53158688f3f4cd56615fad51bcff15739581
SHA2561e24c98fd4275062fda5a47af4d3a59a4aca7dd4edac58515cca8ed97fd8c5e8
SHA5120b137e6350e4d41e6fb025591aa7296c6b3571b525bab7e741849749bcc023f15761bdd96669e5272426fca45d6e70097b01047f07e9918d44119a9875c22bce
-
C:\Users\Admin\AppData\Roaming\update.exeFilesize
10KB
MD58b482947f8aa69e7f21bb5d51c363135
SHA1c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f
SHA256fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5
SHA512766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5
-
C:\Users\Admin\AppData\Roaming\update.exeFilesize
10KB
MD58b482947f8aa69e7f21bb5d51c363135
SHA1c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f
SHA256fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5
SHA512766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5
-
\Users\Admin\AppData\Roaming\update.exeFilesize
10KB
MD58b482947f8aa69e7f21bb5d51c363135
SHA1c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f
SHA256fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5
SHA512766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5
-
memory/704-75-0x0000000000000000-mapping.dmp
-
memory/704-78-0x0000000000230000-0x0000000000238000-memory.dmpFilesize
32KB
-
memory/1088-55-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1088-56-0x0000000007E00000-0x0000000007FF4000-memory.dmpFilesize
2.0MB
-
memory/1088-54-0x0000000000140000-0x0000000000148000-memory.dmpFilesize
32KB
-
memory/1532-85-0x000000006F050000-0x000000006F5FB000-memory.dmpFilesize
5.7MB
-
memory/1532-81-0x0000000000000000-mapping.dmp
-
memory/1532-84-0x000000006F050000-0x000000006F5FB000-memory.dmpFilesize
5.7MB
-
memory/1560-79-0x0000000000000000-mapping.dmp
-
memory/1916-68-0x000000000040837E-mapping.dmp
-
memory/1916-72-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1916-70-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1916-67-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1916-66-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1916-65-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1916-63-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1916-62-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2040-61-0x000000006F600000-0x000000006FBAB000-memory.dmpFilesize
5.7MB
-
memory/2040-60-0x000000006F600000-0x000000006FBAB000-memory.dmpFilesize
5.7MB
-
memory/2040-59-0x000000006F600000-0x000000006FBAB000-memory.dmpFilesize
5.7MB
-
memory/2040-57-0x0000000000000000-mapping.dmp