Analysis
-
max time kernel
149s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 22:42
Behavioral task
behavioral1
Sample
88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe
Resource
win10v2004-20221111-en
General
-
Target
88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe
-
Size
172KB
-
MD5
7deb2b41e5fd27715f608ceabdd9ae2b
-
SHA1
d4b03081a7bd074bcf67feca5cac7b72d3058de7
-
SHA256
88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c
-
SHA512
be6e040236b5e51fb45b7b5c7b42fd0ab8c5ab1b97a545e091dfcc42475a3282ab85368e2b4f9b90bde927d1f5c20ac07e3dcf9894ab5968d9bbeebf13a78b2f
-
SSDEEP
3072:9Scwb0MQmRobmkR7HdbsLR8cy2FnFBmy722Vd94O/ILBkMuszHM1tOW7:eRS7E8cdTBRi2Z4vCMusA142
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalZzrUhG_cnh.exeserver.exepid process 624 LocalZzrUhG_cnh.exe 1772 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
LocalZzrUhG_cnh.exepid process 624 LocalZzrUhG_cnh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exeLocalZzrUhG_cnh.exeserver.exedescription pid process target process PID 1428 wrote to memory of 624 1428 88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe LocalZzrUhG_cnh.exe PID 1428 wrote to memory of 624 1428 88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe LocalZzrUhG_cnh.exe PID 1428 wrote to memory of 624 1428 88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe LocalZzrUhG_cnh.exe PID 1428 wrote to memory of 624 1428 88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe LocalZzrUhG_cnh.exe PID 624 wrote to memory of 1772 624 LocalZzrUhG_cnh.exe server.exe PID 624 wrote to memory of 1772 624 LocalZzrUhG_cnh.exe server.exe PID 624 wrote to memory of 1772 624 LocalZzrUhG_cnh.exe server.exe PID 624 wrote to memory of 1772 624 LocalZzrUhG_cnh.exe server.exe PID 1772 wrote to memory of 1384 1772 server.exe netsh.exe PID 1772 wrote to memory of 1384 1772 server.exe netsh.exe PID 1772 wrote to memory of 1384 1772 server.exe netsh.exe PID 1772 wrote to memory of 1384 1772 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe"C:\Users\Admin\AppData\Local\Temp\88bcb388d5f63a2afa5342ba135daa675b2db66cb3c88756f825c73f1af18c6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\LocalZzrUhG_cnh.exe"C:\Users\Admin\AppData\LocalZzrUhG_cnh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalZzrUhG_cnh.exeFilesize
23KB
MD57c23813078eefe31daabe358559c859d
SHA1ca13c407687b8281a32ea170c0cb1bc717625d41
SHA256c563b48eca111097629b0610ed787d8fbeee23e2005030ee313290acd742940f
SHA512f1839cc2cccde27c3db58687a60b88361ae2570cb8865343ce10ef4c6dec7185b48d158c8e5e4b1a3a4e1ae6c7d9a5e2001ee507225b0887ee23084a6dc84ae2
-
C:\Users\Admin\AppData\LocalZzrUhG_cnh.exeFilesize
23KB
MD57c23813078eefe31daabe358559c859d
SHA1ca13c407687b8281a32ea170c0cb1bc717625d41
SHA256c563b48eca111097629b0610ed787d8fbeee23e2005030ee313290acd742940f
SHA512f1839cc2cccde27c3db58687a60b88361ae2570cb8865343ce10ef4c6dec7185b48d158c8e5e4b1a3a4e1ae6c7d9a5e2001ee507225b0887ee23084a6dc84ae2
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD57c23813078eefe31daabe358559c859d
SHA1ca13c407687b8281a32ea170c0cb1bc717625d41
SHA256c563b48eca111097629b0610ed787d8fbeee23e2005030ee313290acd742940f
SHA512f1839cc2cccde27c3db58687a60b88361ae2570cb8865343ce10ef4c6dec7185b48d158c8e5e4b1a3a4e1ae6c7d9a5e2001ee507225b0887ee23084a6dc84ae2
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD57c23813078eefe31daabe358559c859d
SHA1ca13c407687b8281a32ea170c0cb1bc717625d41
SHA256c563b48eca111097629b0610ed787d8fbeee23e2005030ee313290acd742940f
SHA512f1839cc2cccde27c3db58687a60b88361ae2570cb8865343ce10ef4c6dec7185b48d158c8e5e4b1a3a4e1ae6c7d9a5e2001ee507225b0887ee23084a6dc84ae2
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD57c23813078eefe31daabe358559c859d
SHA1ca13c407687b8281a32ea170c0cb1bc717625d41
SHA256c563b48eca111097629b0610ed787d8fbeee23e2005030ee313290acd742940f
SHA512f1839cc2cccde27c3db58687a60b88361ae2570cb8865343ce10ef4c6dec7185b48d158c8e5e4b1a3a4e1ae6c7d9a5e2001ee507225b0887ee23084a6dc84ae2
-
memory/624-68-0x0000000074B20000-0x00000000750CB000-memory.dmpFilesize
5.7MB
-
memory/624-60-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/624-61-0x0000000074B20000-0x00000000750CB000-memory.dmpFilesize
5.7MB
-
memory/624-62-0x0000000074B20000-0x00000000750CB000-memory.dmpFilesize
5.7MB
-
memory/624-56-0x0000000000000000-mapping.dmp
-
memory/1384-70-0x0000000000000000-mapping.dmp
-
memory/1428-59-0x000000001ADA0000-0x000000001ADB0000-memory.dmpFilesize
64KB
-
memory/1428-55-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmpFilesize
8KB
-
memory/1428-54-0x000007FEF46F0000-0x000007FEF5113000-memory.dmpFilesize
10.1MB
-
memory/1772-64-0x0000000000000000-mapping.dmp
-
memory/1772-69-0x0000000074B20000-0x00000000750CB000-memory.dmpFilesize
5.7MB
-
memory/1772-72-0x0000000074B20000-0x00000000750CB000-memory.dmpFilesize
5.7MB