Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:54
Behavioral task
behavioral1
Sample
98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe
Resource
win10v2004-20220812-en
General
-
Target
98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe
-
Size
55KB
-
MD5
7d4f891f353fbadcbf39634df6e9dc91
-
SHA1
a08cae72f2bc91883f307c384922fc1adcd2a2c7
-
SHA256
98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16
-
SHA512
9da0cedb556ba01dbf2f0c92b4cf6d69031cd69457bb3df21f174c252950518a6b2836ecee2e81c2c8245b49940a829c0ca2fd04db129f207e581eb5b87a0095
-
SSDEEP
768:CygGGiYSj7hoB1b5U88cH1Ne5BKh0p29SgRczrH8zE85CNqlWVLRYe:CWGiYSj7hKXVWKhG29jczrH8j5C0e9f
Malware Config
Extracted
njrat
0.6.4
HacKed
127.0.0.1:1177
17e873bfcaa25c26ef0c2dc468367fc3
-
reg_key
17e873bfcaa25c26ef0c2dc468367fc3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
TempServer.exejeux.exepid process 1696 TempServer.exe 1420 jeux.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
jeux.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17e873bfcaa25c26ef0c2dc468367fc3.exe jeux.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17e873bfcaa25c26ef0c2dc468367fc3.exe jeux.exe -
Loads dropped DLL 2 IoCs
Processes:
98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exeTempServer.exepid process 1664 98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe 1696 TempServer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
jeux.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\17e873bfcaa25c26ef0c2dc468367fc3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jeux.exe\" .." jeux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\17e873bfcaa25c26ef0c2dc468367fc3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jeux.exe\" .." jeux.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
jeux.exepid process 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe 1420 jeux.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jeux.exedescription pid process Token: SeDebugPrivilege 1420 jeux.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1040 DllHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exeTempServer.exejeux.exedescription pid process target process PID 1664 wrote to memory of 1696 1664 98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe TempServer.exe PID 1664 wrote to memory of 1696 1664 98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe TempServer.exe PID 1664 wrote to memory of 1696 1664 98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe TempServer.exe PID 1664 wrote to memory of 1696 1664 98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe TempServer.exe PID 1696 wrote to memory of 1420 1696 TempServer.exe jeux.exe PID 1696 wrote to memory of 1420 1696 TempServer.exe jeux.exe PID 1696 wrote to memory of 1420 1696 TempServer.exe jeux.exe PID 1696 wrote to memory of 1420 1696 TempServer.exe jeux.exe PID 1420 wrote to memory of 888 1420 jeux.exe netsh.exe PID 1420 wrote to memory of 888 1420 jeux.exe netsh.exe PID 1420 wrote to memory of 888 1420 jeux.exe netsh.exe PID 1420 wrote to memory of 888 1420 jeux.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe"C:\Users\Admin\AppData\Local\Temp\98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempServer.exe"C:\Users\Admin\AppData\Local\TempServer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jeux.exe"C:\Users\Admin\AppData\Local\Temp\jeux.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\jeux.exe" "jeux.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempServer.exeFilesize
29KB
MD537ca368169ce0b732cfd74b18631b22d
SHA109968c66e560df248ea23a921626b4a24a955a28
SHA2566312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761
SHA51269149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633
-
C:\Users\Admin\AppData\Local\TempServer.exeFilesize
29KB
MD537ca368169ce0b732cfd74b18631b22d
SHA109968c66e560df248ea23a921626b4a24a955a28
SHA2566312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761
SHA51269149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633
-
C:\Users\Admin\AppData\Local\Temp\jeux.exeFilesize
29KB
MD537ca368169ce0b732cfd74b18631b22d
SHA109968c66e560df248ea23a921626b4a24a955a28
SHA2566312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761
SHA51269149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633
-
C:\Users\Admin\AppData\Local\Temp\jeux.exeFilesize
29KB
MD537ca368169ce0b732cfd74b18631b22d
SHA109968c66e560df248ea23a921626b4a24a955a28
SHA2566312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761
SHA51269149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633
-
C:\Users\Admin\AppData\Roaming\sandra.jpgFilesize
9KB
MD50c84ad2afd8f8860c63e82c7b54d7a69
SHA1ffa55e18afe6bacff7c1f3636301514c51d3935b
SHA2566d94fff478b0ab95847764093f6c5e7abf06d9fd071fc2d52f02de42c3b3f916
SHA512fda68102c5d45a94b1c5bba3bc92f6af068a031c79b9deb3ef6d616a5db061544773094f2ded27bf5fecabb12f2b25f6f9e2f878d77a3e85fba0c95b2d9ff8e1
-
\Users\Admin\AppData\Local\TempServer.exeFilesize
29KB
MD537ca368169ce0b732cfd74b18631b22d
SHA109968c66e560df248ea23a921626b4a24a955a28
SHA2566312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761
SHA51269149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633
-
\Users\Admin\AppData\Local\Temp\jeux.exeFilesize
29KB
MD537ca368169ce0b732cfd74b18631b22d
SHA109968c66e560df248ea23a921626b4a24a955a28
SHA2566312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761
SHA51269149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633
-
memory/888-71-0x0000000000000000-mapping.dmp
-
memory/1420-66-0x0000000000000000-mapping.dmp
-
memory/1420-72-0x000000006EF60000-0x000000006F50B000-memory.dmpFilesize
5.7MB
-
memory/1420-74-0x000000006EF60000-0x000000006F50B000-memory.dmpFilesize
5.7MB
-
memory/1664-54-0x0000000000EA0000-0x0000000000EB6000-memory.dmpFilesize
88KB
-
memory/1664-62-0x0000000000D25000-0x0000000000D36000-memory.dmpFilesize
68KB
-
memory/1664-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1696-59-0x0000000000000000-mapping.dmp
-
memory/1696-64-0x000000006EF60000-0x000000006F50B000-memory.dmpFilesize
5.7MB
-
memory/1696-70-0x000000006EF60000-0x000000006F50B000-memory.dmpFilesize
5.7MB