Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:40
Behavioral task
behavioral1
Sample
70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe
Resource
win10v2004-20221111-en
General
-
Target
70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe
-
Size
29KB
-
MD5
394898effddbcb4730c06d1564af978d
-
SHA1
1eb2c9b1923ca8b9d8b3cdbef872506a6d74680d
-
SHA256
70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8
-
SHA512
866c07fba65067545339f91335fca9c459f6bec20eaab28dfb53b68f73ac44a6a569490e17927c97cbac0e81c2826425908ce74a3524983dd243b7f3c0322f6c
-
SSDEEP
384:aBgJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOG:aZ7nMsanzR+2cqEDveyBKh0p29SgRJO
Malware Config
Extracted
njrat
0.6.4
HacKed
mhacker783.no-ip.org:1177
dda179c09ae689633f05cced9ee19fb5
-
reg_key
dda179c09ae689633f05cced9ee19fb5
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dwm.exepid process 1352 dwm.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exepid process 1504 70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dwm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dda179c09ae689633f05cced9ee19fb5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe\" .." dwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dda179c09ae689633f05cced9ee19fb5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe\" .." dwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
dwm.exepid process 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe 1352 dwm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwm.exedescription pid process Token: SeDebugPrivilege 1352 dwm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exedwm.exedescription pid process target process PID 1504 wrote to memory of 1352 1504 70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe dwm.exe PID 1504 wrote to memory of 1352 1504 70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe dwm.exe PID 1504 wrote to memory of 1352 1504 70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe dwm.exe PID 1504 wrote to memory of 1352 1504 70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe dwm.exe PID 1352 wrote to memory of 800 1352 dwm.exe netsh.exe PID 1352 wrote to memory of 800 1352 dwm.exe netsh.exe PID 1352 wrote to memory of 800 1352 dwm.exe netsh.exe PID 1352 wrote to memory of 800 1352 dwm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe"C:\Users\Admin\AppData\Local\Temp\70664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dwm.exe"C:\Users\Admin\AppData\Roaming\dwm.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dwm.exe" "dwm.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dwm.exeFilesize
29KB
MD5394898effddbcb4730c06d1564af978d
SHA11eb2c9b1923ca8b9d8b3cdbef872506a6d74680d
SHA25670664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8
SHA512866c07fba65067545339f91335fca9c459f6bec20eaab28dfb53b68f73ac44a6a569490e17927c97cbac0e81c2826425908ce74a3524983dd243b7f3c0322f6c
-
C:\Users\Admin\AppData\Roaming\dwm.exeFilesize
29KB
MD5394898effddbcb4730c06d1564af978d
SHA11eb2c9b1923ca8b9d8b3cdbef872506a6d74680d
SHA25670664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8
SHA512866c07fba65067545339f91335fca9c459f6bec20eaab28dfb53b68f73ac44a6a569490e17927c97cbac0e81c2826425908ce74a3524983dd243b7f3c0322f6c
-
\Users\Admin\AppData\Roaming\dwm.exeFilesize
29KB
MD5394898effddbcb4730c06d1564af978d
SHA11eb2c9b1923ca8b9d8b3cdbef872506a6d74680d
SHA25670664d8f9052a7d96fade62f84010761aa10e68c7a03e8dc5785710f991b67e8
SHA512866c07fba65067545339f91335fca9c459f6bec20eaab28dfb53b68f73ac44a6a569490e17927c97cbac0e81c2826425908ce74a3524983dd243b7f3c0322f6c
-
memory/800-62-0x0000000000000000-mapping.dmp
-
memory/1352-57-0x0000000000000000-mapping.dmp
-
memory/1352-63-0x0000000074C70000-0x000000007521B000-memory.dmpFilesize
5.7MB
-
memory/1352-65-0x0000000074C70000-0x000000007521B000-memory.dmpFilesize
5.7MB
-
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1504-55-0x0000000074C70000-0x000000007521B000-memory.dmpFilesize
5.7MB
-
memory/1504-61-0x0000000074C70000-0x000000007521B000-memory.dmpFilesize
5.7MB