Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 03:02
Behavioral task
behavioral1
Sample
334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe
Resource
win10v2004-20221111-en
General
-
Target
334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe
-
Size
210KB
-
MD5
db54abe9cd4cf784164bffd2f72116d7
-
SHA1
b3dd3c0d0b4fcdbd10cddfd9787cc9dccfa45e46
-
SHA256
334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e
-
SHA512
365e59ace3bada5253b60ff155a4454ced9072096207efe7862bdd35933c3d9f0e40fcff354100b3bb8573693d39eadc5cfbe0332c92948e2bda865799161df7
-
SSDEEP
3072:nvssA29+e43idX6zbvOezG0z/3XKnkACUZuw7vi2cgK4Lt0Kpu6WA+NPjuTsUeQY:H9cikPO8+GL6MjUe6vATgk
Malware Config
Extracted
njrat
0.6.4
كرار هكر العراق
karar101.ddns.net:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 1444 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exepid process 2020 334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Trojan.exepid process 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 1444 Trojan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exeTrojan.exedescription pid process target process PID 2020 wrote to memory of 1444 2020 334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe Trojan.exe PID 2020 wrote to memory of 1444 2020 334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe Trojan.exe PID 2020 wrote to memory of 1444 2020 334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe Trojan.exe PID 2020 wrote to memory of 1444 2020 334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe Trojan.exe PID 1444 wrote to memory of 768 1444 Trojan.exe netsh.exe PID 1444 wrote to memory of 768 1444 Trojan.exe netsh.exe PID 1444 wrote to memory of 768 1444 Trojan.exe netsh.exe PID 1444 wrote to memory of 768 1444 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe"C:\Users\Admin\AppData\Local\Temp\334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
210KB
MD5db54abe9cd4cf784164bffd2f72116d7
SHA1b3dd3c0d0b4fcdbd10cddfd9787cc9dccfa45e46
SHA256334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e
SHA512365e59ace3bada5253b60ff155a4454ced9072096207efe7862bdd35933c3d9f0e40fcff354100b3bb8573693d39eadc5cfbe0332c92948e2bda865799161df7
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
210KB
MD5db54abe9cd4cf784164bffd2f72116d7
SHA1b3dd3c0d0b4fcdbd10cddfd9787cc9dccfa45e46
SHA256334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e
SHA512365e59ace3bada5253b60ff155a4454ced9072096207efe7862bdd35933c3d9f0e40fcff354100b3bb8573693d39eadc5cfbe0332c92948e2bda865799161df7
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
210KB
MD5db54abe9cd4cf784164bffd2f72116d7
SHA1b3dd3c0d0b4fcdbd10cddfd9787cc9dccfa45e46
SHA256334fe3b376bf10fac2a08efbd1bad31935e84612cae4e8bab6c33cfc2ac2cf1e
SHA512365e59ace3bada5253b60ff155a4454ced9072096207efe7862bdd35933c3d9f0e40fcff354100b3bb8573693d39eadc5cfbe0332c92948e2bda865799161df7
-
memory/768-62-0x0000000000000000-mapping.dmp
-
memory/1444-57-0x0000000000000000-mapping.dmp
-
memory/1444-63-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/1444-65-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/2020-55-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2020-61-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB