Analysis
-
max time kernel
41s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 20:58
Behavioral task
behavioral1
Sample
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
Resource
win10v2004-20221111-en
General
-
Target
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
-
Size
232KB
-
MD5
078c443bcef55469d0e676bfdb3657da
-
SHA1
d2f776086636685bbfff14350a4dad829fdfc930
-
SHA256
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
-
SHA512
078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
SSDEEP
3072:f6MMA29HPwr/7bn8fgNYg2hilnsf+odkFX4CDlpj3sRpPeQZ3NM:c9vwrX8kY3hino+aCDrIRNeQZN
Malware Config
Extracted
njrat
0.6.4
HacKed
gabrireimice.no-ip.biz:1177
7d31449cc24545e5baf7b7e98c5e61d9
-
reg_key
7d31449cc24545e5baf7b7e98c5e61d9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Explorer.exepid process 332 Explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exepid process 1120 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exedescription pid process target process PID 1120 wrote to memory of 332 1120 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe PID 1120 wrote to memory of 332 1120 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe PID 1120 wrote to memory of 332 1120 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe PID 1120 wrote to memory of 332 1120 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe"C:\Users\Admin\AppData\Local\Temp\aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Explorer.exe"C:\Users\Admin\AppData\Roaming\Explorer.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Explorer.exeFilesize
232KB
MD5078c443bcef55469d0e676bfdb3657da
SHA1d2f776086636685bbfff14350a4dad829fdfc930
SHA256aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
SHA512078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
C:\Users\Admin\AppData\Roaming\Explorer.exeFilesize
232KB
MD5078c443bcef55469d0e676bfdb3657da
SHA1d2f776086636685bbfff14350a4dad829fdfc930
SHA256aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
SHA512078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
\Users\Admin\AppData\Roaming\Explorer.exeFilesize
232KB
MD5078c443bcef55469d0e676bfdb3657da
SHA1d2f776086636685bbfff14350a4dad829fdfc930
SHA256aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
SHA512078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
memory/332-56-0x0000000000000000-mapping.dmp
-
memory/332-61-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1120-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1120-60-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB