Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:39
Behavioral task
behavioral1
Sample
9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe
Resource
win7-20220901-en
General
-
Target
9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe
-
Size
23KB
-
MD5
42d1b2dfdf83b0f1e5e257072a51108b
-
SHA1
981a6ec09bc61778025a4a654c0f161b1255ff40
-
SHA256
9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1
-
SHA512
908446fddfebfa655b443562048027500f26c2a9c046b5b13c4a3689885808d1d3b54fce30a35db86bc87996af8cba2ad8599b2c2b51bb87e825ece2df1e30e7
-
SSDEEP
384:G+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZcozEu:5m+71d5XRpcnu2D
Malware Config
Extracted
njrat
0.7d
hacker
mrcod.publicvm.com:1177
0b0829e06d028299289e683c2462e806
-
reg_key
0b0829e06d028299289e683c2462e806
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 1352 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exepid process 1544 9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe Token: 33 1352 Trojan.exe Token: SeIncBasePriorityPrivilege 1352 Trojan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exeTrojan.exedescription pid process target process PID 1544 wrote to memory of 1352 1544 9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe Trojan.exe PID 1544 wrote to memory of 1352 1544 9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe Trojan.exe PID 1544 wrote to memory of 1352 1544 9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe Trojan.exe PID 1544 wrote to memory of 1352 1544 9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe Trojan.exe PID 1352 wrote to memory of 536 1352 Trojan.exe netsh.exe PID 1352 wrote to memory of 536 1352 Trojan.exe netsh.exe PID 1352 wrote to memory of 536 1352 Trojan.exe netsh.exe PID 1352 wrote to memory of 536 1352 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe"C:\Users\Admin\AppData\Local\Temp\9f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
23KB
MD542d1b2dfdf83b0f1e5e257072a51108b
SHA1981a6ec09bc61778025a4a654c0f161b1255ff40
SHA2569f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1
SHA512908446fddfebfa655b443562048027500f26c2a9c046b5b13c4a3689885808d1d3b54fce30a35db86bc87996af8cba2ad8599b2c2b51bb87e825ece2df1e30e7
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
23KB
MD542d1b2dfdf83b0f1e5e257072a51108b
SHA1981a6ec09bc61778025a4a654c0f161b1255ff40
SHA2569f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1
SHA512908446fddfebfa655b443562048027500f26c2a9c046b5b13c4a3689885808d1d3b54fce30a35db86bc87996af8cba2ad8599b2c2b51bb87e825ece2df1e30e7
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
23KB
MD542d1b2dfdf83b0f1e5e257072a51108b
SHA1981a6ec09bc61778025a4a654c0f161b1255ff40
SHA2569f42320dfbf5defbe21455ef824e711a5e603703631d9f1669abe8b6d54fcdf1
SHA512908446fddfebfa655b443562048027500f26c2a9c046b5b13c4a3689885808d1d3b54fce30a35db86bc87996af8cba2ad8599b2c2b51bb87e825ece2df1e30e7
-
memory/536-62-0x0000000000000000-mapping.dmp
-
memory/1352-57-0x0000000000000000-mapping.dmp
-
memory/1352-61-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/1352-65-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1544-55-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/1544-64-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB