Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 23:16
Behavioral task
behavioral1
Sample
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
Resource
win10v2004-20220812-en
General
-
Target
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
-
Size
29KB
-
MD5
cc1527601b9652935e9056cb92446af4
-
SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458
-
SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
-
SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
SSDEEP
768:4Qv/27NYsDkfZPoIqlHepBKh0p29SgRcr:tm7N143wEKhG29jcr
Malware Config
Extracted
njrat
0.6.4
system
saadk.no-ip.biz:1177
12ce4e06a81e8d54fd01d9b762f1b1bb
-
reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1936 system.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exepid process 1408 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
system.exepid process 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe 1936 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 1936 system.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exesystem.exedescription pid process target process PID 1408 wrote to memory of 1936 1408 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 1408 wrote to memory of 1936 1408 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 1408 wrote to memory of 1936 1408 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 1408 wrote to memory of 1936 1408 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 1936 wrote to memory of 1928 1936 system.exe netsh.exe PID 1936 wrote to memory of 1928 1936 system.exe netsh.exe PID 1936 wrote to memory of 1928 1936 system.exe netsh.exe PID 1936 wrote to memory of 1928 1936 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe"C:\Users\Admin\AppData\Local\Temp\4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1408-55-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1408-61-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1928-62-0x0000000000000000-mapping.dmp
-
memory/1936-57-0x0000000000000000-mapping.dmp
-
memory/1936-64-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1936-65-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB