Analysis
-
max time kernel
165s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:46
Behavioral task
behavioral1
Sample
f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe
Resource
win10v2004-20221111-en
General
-
Target
f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe
-
Size
23KB
-
MD5
50d5a3fd05dd566e0a74d5e0ea7f1ac8
-
SHA1
33262c57bab468629d622047204daa8abdb90058
-
SHA256
f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07
-
SHA512
a0c272b2e0d3d031c654a6f0481304dafbafd4a73d3fcd9f3e6e009272c477f0d887d523ee768b861f5e228b1c4f72f905398885951ee0ba33538e5d3b65f0d8
-
SSDEEP
384:+Gwz6+T4IjWZFNwXU0eiNUB+vt6NgT+lLOhXxQmRvR6JZlbw8hqIusZzZtc:qTbC81NNRpcnuF
Malware Config
Extracted
njrat
0.7d
4
kadimon1.no-ip.info:5243
20b288331ea1f38d82005df62f97b2b1
-
reg_key
20b288331ea1f38d82005df62f97b2b1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
win.exepid process 1536 win.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exepid process 1776 f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
win.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\20b288331ea1f38d82005df62f97b2b1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win.exe\" .." win.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\20b288331ea1f38d82005df62f97b2b1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win.exe\" .." win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
win.exedescription pid process Token: SeDebugPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe Token: 33 1536 win.exe Token: SeIncBasePriorityPrivilege 1536 win.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exewin.exedescription pid process target process PID 1776 wrote to memory of 1536 1776 f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe win.exe PID 1776 wrote to memory of 1536 1776 f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe win.exe PID 1776 wrote to memory of 1536 1776 f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe win.exe PID 1776 wrote to memory of 1536 1776 f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe win.exe PID 1536 wrote to memory of 1380 1536 win.exe netsh.exe PID 1536 wrote to memory of 1380 1536 win.exe netsh.exe PID 1536 wrote to memory of 1380 1536 win.exe netsh.exe PID 1536 wrote to memory of 1380 1536 win.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe"C:\Users\Admin\AppData\Local\Temp\f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\win.exe"C:\Users\Admin\AppData\Local\Temp\win.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\win.exe" "win.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\win.exeFilesize
23KB
MD550d5a3fd05dd566e0a74d5e0ea7f1ac8
SHA133262c57bab468629d622047204daa8abdb90058
SHA256f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07
SHA512a0c272b2e0d3d031c654a6f0481304dafbafd4a73d3fcd9f3e6e009272c477f0d887d523ee768b861f5e228b1c4f72f905398885951ee0ba33538e5d3b65f0d8
-
C:\Users\Admin\AppData\Local\Temp\win.exeFilesize
23KB
MD550d5a3fd05dd566e0a74d5e0ea7f1ac8
SHA133262c57bab468629d622047204daa8abdb90058
SHA256f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07
SHA512a0c272b2e0d3d031c654a6f0481304dafbafd4a73d3fcd9f3e6e009272c477f0d887d523ee768b861f5e228b1c4f72f905398885951ee0ba33538e5d3b65f0d8
-
\Users\Admin\AppData\Local\Temp\win.exeFilesize
23KB
MD550d5a3fd05dd566e0a74d5e0ea7f1ac8
SHA133262c57bab468629d622047204daa8abdb90058
SHA256f584cfad98b43127b4926e288402c3f378355f3f4a8542a366081beff470fc07
SHA512a0c272b2e0d3d031c654a6f0481304dafbafd4a73d3fcd9f3e6e009272c477f0d887d523ee768b861f5e228b1c4f72f905398885951ee0ba33538e5d3b65f0d8
-
memory/1380-63-0x0000000000000000-mapping.dmp
-
memory/1536-57-0x0000000000000000-mapping.dmp
-
memory/1536-62-0x00000000745A0000-0x0000000074B4B000-memory.dmpFilesize
5.7MB
-
memory/1536-64-0x00000000745A0000-0x0000000074B4B000-memory.dmpFilesize
5.7MB
-
memory/1776-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/1776-55-0x00000000745A0000-0x0000000074B4B000-memory.dmpFilesize
5.7MB
-
memory/1776-61-0x00000000745A0000-0x0000000074B4B000-memory.dmpFilesize
5.7MB