Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
Resource
win7-20220812-en
General
-
Target
c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
-
Size
44KB
-
MD5
d2b8a106c29dac903ad8ebeb5fc84f6f
-
SHA1
5b4fe7cd5a6444eaee074d214cfd0ed712d46b3c
-
SHA256
c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc
-
SHA512
596ca15887de0cec578609bf966149057dceda5edf732cb9f788536c28a2130d757909e459f0f2f1d3160e632d6431bf5c7a41ee6a2dcbcb8b6bb7a755ffbb04
-
SSDEEP
768:YHPOFt6gtzDFHZiS1v+yBzrBQJRriq+9Q:uWUylr1vh3BQJRez9Q
Malware Config
Extracted
njrat
0.7d
HaCkEr 8
xxx99.zapto.org:88
a3d748392c83eb40cc2f4a5e2518c816
-
reg_key
a3d748392c83eb40cc2f4a5e2518c816
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
che0htx7ddBIfTLpGoKV.execonhost.exepid process 896 che0htx7ddBIfTLpGoKV.exe 952 conhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 2 IoCs
Processes:
c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exeche0htx7ddBIfTLpGoKV.exepid process 1880 c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe 896 che0htx7ddBIfTLpGoKV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
conhost.exedescription pid process Token: SeDebugPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe Token: 33 952 conhost.exe Token: SeIncBasePriorityPrivilege 952 conhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exeche0htx7ddBIfTLpGoKV.execonhost.exedescription pid process target process PID 1880 wrote to memory of 896 1880 c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe che0htx7ddBIfTLpGoKV.exe PID 1880 wrote to memory of 896 1880 c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe che0htx7ddBIfTLpGoKV.exe PID 1880 wrote to memory of 896 1880 c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe che0htx7ddBIfTLpGoKV.exe PID 1880 wrote to memory of 896 1880 c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe che0htx7ddBIfTLpGoKV.exe PID 896 wrote to memory of 952 896 che0htx7ddBIfTLpGoKV.exe conhost.exe PID 896 wrote to memory of 952 896 che0htx7ddBIfTLpGoKV.exe conhost.exe PID 896 wrote to memory of 952 896 che0htx7ddBIfTLpGoKV.exe conhost.exe PID 896 wrote to memory of 952 896 che0htx7ddBIfTLpGoKV.exe conhost.exe PID 952 wrote to memory of 900 952 conhost.exe netsh.exe PID 952 wrote to memory of 900 952 conhost.exe netsh.exe PID 952 wrote to memory of 900 952 conhost.exe netsh.exe PID 952 wrote to memory of 900 952 conhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe"C:\Users\Admin\AppData\Local\Temp\c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe"C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exeFilesize
23KB
MD5036d59f26793710fd58dbd3e1bd36cf7
SHA1a59a1193c66fdc51f7deeaba2a5d61f42c71dc04
SHA2566521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b
SHA5123e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf
-
C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exeFilesize
23KB
MD5036d59f26793710fd58dbd3e1bd36cf7
SHA1a59a1193c66fdc51f7deeaba2a5d61f42c71dc04
SHA2566521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b
SHA5123e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
23KB
MD5036d59f26793710fd58dbd3e1bd36cf7
SHA1a59a1193c66fdc51f7deeaba2a5d61f42c71dc04
SHA2566521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b
SHA5123e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
23KB
MD5036d59f26793710fd58dbd3e1bd36cf7
SHA1a59a1193c66fdc51f7deeaba2a5d61f42c71dc04
SHA2566521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b
SHA5123e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf
-
\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exeFilesize
23KB
MD5036d59f26793710fd58dbd3e1bd36cf7
SHA1a59a1193c66fdc51f7deeaba2a5d61f42c71dc04
SHA2566521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b
SHA5123e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf
-
\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
23KB
MD5036d59f26793710fd58dbd3e1bd36cf7
SHA1a59a1193c66fdc51f7deeaba2a5d61f42c71dc04
SHA2566521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b
SHA5123e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf
-
memory/896-62-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/896-57-0x0000000000000000-mapping.dmp
-
memory/896-69-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/896-70-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/900-72-0x0000000000000000-mapping.dmp
-
memory/952-64-0x0000000000000000-mapping.dmp
-
memory/952-68-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/952-71-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1880-61-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1880-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1880-55-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB