Analysis
-
max time kernel
194s -
max time network
227s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 19:39
Static task
static1
Behavioral task
behavioral1
Sample
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
Resource
win7-20221111-en
General
-
Target
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
-
Size
40KB
-
MD5
76549b8baa923d9d124fce400c715f80
-
SHA1
58b2c7bb1fb4c0c931cca5c28b13bf7c604be0db
-
SHA256
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d
-
SHA512
65b34b982745c291a3749250d1aaf43a1e72856166f09085f9e540f6ab3d63f4da692bab44f1d92257f47adbcf8517c2232d3a89a7f2addbbffdc7c73c22ceb0
-
SSDEEP
768:zu72rHLuCsVwWmd3pgEwJ+i/cEwZeHh29l:6sH5sVwWmdZHG+iEEwgH09l
Malware Config
Extracted
njrat
0.7d
hacker
xxx99.zapto.org:88
6f39b86be99d1b95bd864356980f5434
-
reg_key
6f39b86be99d1b95bd864356980f5434
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LG9NFELtAA4fSs0OcUn3.exesvchost.exepid process 292 LG9NFELtAA4fSs0OcUn3.exe 368 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 4 IoCs
Processes:
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exeLG9NFELtAA4fSs0OcUn3.exepid process 1528 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe 1528 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe 292 LG9NFELtAA4fSs0OcUn3.exe 292 LG9NFELtAA4fSs0OcUn3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe Token: 33 368 svchost.exe Token: SeIncBasePriorityPrivilege 368 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exeLG9NFELtAA4fSs0OcUn3.exesvchost.exedescription pid process target process PID 1528 wrote to memory of 292 1528 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 1528 wrote to memory of 292 1528 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 1528 wrote to memory of 292 1528 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 1528 wrote to memory of 292 1528 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 292 wrote to memory of 368 292 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 292 wrote to memory of 368 292 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 292 wrote to memory of 368 292 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 292 wrote to memory of 368 292 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 368 wrote to memory of 752 368 svchost.exe netsh.exe PID 368 wrote to memory of 752 368 svchost.exe netsh.exe PID 368 wrote to memory of 752 368 svchost.exe netsh.exe PID 368 wrote to memory of 752 368 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe"C:\Users\Admin\AppData\Local\Temp\769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe"C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
memory/292-69-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/292-62-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/292-57-0x0000000000000000-mapping.dmp
-
memory/368-65-0x0000000000000000-mapping.dmp
-
memory/368-70-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/368-73-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/752-71-0x0000000000000000-mapping.dmp
-
memory/1528-61-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/1528-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB