Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 05:36
Static task
static1
Behavioral task
behavioral1
Sample
b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
Resource
win10v2004-20220812-en
General
-
Target
b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
-
Size
759KB
-
MD5
02cf06a70cf46b0c7a09db8531bebb50
-
SHA1
f6e7407628eb18ae391a44396e7e1993dd28e2ce
-
SHA256
b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02
-
SHA512
53d1ac6f87b16cc377909f53d2f5fd691476e8f896b7307eda5e118239a5116c150f11a0746a7ea103edcfeb2ff934aa8d6977eca862e2735a7d4403ccb8e7da
-
SSDEEP
12288:O1dlZo5y/RjeQE0A5U/ZvUzTdJCJ5/rcIpwOGSgO8AtmuasL/OeTk2CcpqItSPBS:O1dlZo5YRCQE9U/hUlw7n6SB/OrYqI8Y
Malware Config
Extracted
njrat
0.6.4
FUcKed
nigro02.no-ip.info:1177
8b6c724afb458a51b8bbc1984d95f348
-
reg_key
8b6c724afb458a51b8bbc1984d95f348
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1028 idm.exe 1224 srvhost.exe 1824 Creative Cloud Set-Up.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 972 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b6c724afb458a51b8bbc1984d95f348.exe srvhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b6c724afb458a51b8bbc1984d95f348.exe srvhost.exe -
Loads dropped DLL 3 IoCs
pid Process 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b6c724afb458a51b8bbc1984d95f348 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\srvhost.exe\" .." srvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b6c724afb458a51b8bbc1984d95f348 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\srvhost.exe\" .." srvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe 1224 srvhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1224 srvhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1028 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 27 PID 1044 wrote to memory of 1028 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 27 PID 1044 wrote to memory of 1028 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 27 PID 1044 wrote to memory of 1028 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 27 PID 1028 wrote to memory of 1224 1028 idm.exe 28 PID 1028 wrote to memory of 1224 1028 idm.exe 28 PID 1028 wrote to memory of 1224 1028 idm.exe 28 PID 1224 wrote to memory of 972 1224 srvhost.exe 29 PID 1224 wrote to memory of 972 1224 srvhost.exe 29 PID 1224 wrote to memory of 972 1224 srvhost.exe 29 PID 1044 wrote to memory of 1824 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 30 PID 1044 wrote to memory of 1824 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 30 PID 1044 wrote to memory of 1824 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 30 PID 1044 wrote to memory of 1824 1044 b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe"C:\Users\Admin\AppData\Local\Temp\b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Extracted\idm.exe"C:\Extracted\idm.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\srvhost.exe"C:\Users\Admin\AppData\Local\Temp\srvhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\srvhost.exe" "srvhost.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:972
-
-
-
-
C:\Extracted\Creative Cloud Set-Up.exe"C:\Extracted\Creative Cloud Set-Up.exe"2⤵
- Executes dropped EXE
PID:1824
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600KB
MD51d021a009ba55f3843403a738e4b4a6b
SHA116916fc5c8701f899b420a4b487f41f85b438075
SHA25642baf8c8943c905f8ed860ada40f30559f8b63ec8f7635148345a611d2495f00
SHA5120df78ba3665efaf6c6649b88a44e74a2b83ac0ed02e55ab0bc9b333ae177c437dbda0022f73ac46928f82b0edb511a71cf860f3ae645a7ce3707fddcf8e3d72c
-
Filesize
93KB
MD55b010258a27e8e3398bf3c5a30c5f132
SHA18c567f40a929893588c138eb0d0a5795e31edf3e
SHA256fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e
SHA51226cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8
-
Filesize
93KB
MD55b010258a27e8e3398bf3c5a30c5f132
SHA18c567f40a929893588c138eb0d0a5795e31edf3e
SHA256fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e
SHA51226cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8
-
Filesize
93KB
MD55b010258a27e8e3398bf3c5a30c5f132
SHA18c567f40a929893588c138eb0d0a5795e31edf3e
SHA256fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e
SHA51226cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8
-
Filesize
93KB
MD55b010258a27e8e3398bf3c5a30c5f132
SHA18c567f40a929893588c138eb0d0a5795e31edf3e
SHA256fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e
SHA51226cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8
-
Filesize
600KB
MD51d021a009ba55f3843403a738e4b4a6b
SHA116916fc5c8701f899b420a4b487f41f85b438075
SHA25642baf8c8943c905f8ed860ada40f30559f8b63ec8f7635148345a611d2495f00
SHA5120df78ba3665efaf6c6649b88a44e74a2b83ac0ed02e55ab0bc9b333ae177c437dbda0022f73ac46928f82b0edb511a71cf860f3ae645a7ce3707fddcf8e3d72c
-
Filesize
600KB
MD51d021a009ba55f3843403a738e4b4a6b
SHA116916fc5c8701f899b420a4b487f41f85b438075
SHA25642baf8c8943c905f8ed860ada40f30559f8b63ec8f7635148345a611d2495f00
SHA5120df78ba3665efaf6c6649b88a44e74a2b83ac0ed02e55ab0bc9b333ae177c437dbda0022f73ac46928f82b0edb511a71cf860f3ae645a7ce3707fddcf8e3d72c
-
Filesize
93KB
MD55b010258a27e8e3398bf3c5a30c5f132
SHA18c567f40a929893588c138eb0d0a5795e31edf3e
SHA256fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e
SHA51226cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8