Analysis
-
max time kernel
189s -
max time network
237s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:53
Behavioral task
behavioral1
Sample
e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe
Resource
win10v2004-20220812-en
General
-
Target
e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe
-
Size
163KB
-
MD5
baf33f6fa9571bd34abe6c5afde6768d
-
SHA1
0ce0c82e67151840d385819820673c382804cba9
-
SHA256
e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306
-
SHA512
bfcc27c47861ba491f0ac9504e6b96aa9bb30f6e45652d3840ae96830d9d29bec17e9b7ac17fc31c0ab04046dfd81c71d40376fbc8004307184bdf77b5d1f5f2
-
SSDEEP
3072:qcwb0Xp27xCh92rg56gGiDbV2/W36eyjiu8iW:7AAh1DbV2/W36eyuu8N
Malware Config
Extracted
njrat
0.7d
HacKed
alpha-7.no-ip.biz:5552
f3b4549e9273b6cf9b3f02a2ce32bfa0
-
reg_key
f3b4549e9273b6cf9b3f02a2ce32bfa0
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
game.exepid process 672 game.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
game.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3b4549e9273b6cf9b3f02a2ce32bfa0.exe game.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3b4549e9273b6cf9b3f02a2ce32bfa0.exe game.exe -
Loads dropped DLL 1 IoCs
Processes:
e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exepid process 1352 e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
game.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\f3b4549e9273b6cf9b3f02a2ce32bfa0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\game.exe\" .." game.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f3b4549e9273b6cf9b3f02a2ce32bfa0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\game.exe\" .." game.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
game.exedescription pid process Token: SeDebugPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe Token: 33 672 game.exe Token: SeIncBasePriorityPrivilege 672 game.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exegame.exedescription pid process target process PID 1352 wrote to memory of 672 1352 e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe game.exe PID 1352 wrote to memory of 672 1352 e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe game.exe PID 1352 wrote to memory of 672 1352 e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe game.exe PID 1352 wrote to memory of 672 1352 e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe game.exe PID 672 wrote to memory of 1692 672 game.exe netsh.exe PID 672 wrote to memory of 1692 672 game.exe netsh.exe PID 672 wrote to memory of 1692 672 game.exe netsh.exe PID 672 wrote to memory of 1692 672 game.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe"C:\Users\Admin\AppData\Local\Temp\e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\game.exe"C:\Users\Admin\AppData\Local\Temp\game.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\game.exe" "game.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\game.exeFilesize
163KB
MD5baf33f6fa9571bd34abe6c5afde6768d
SHA10ce0c82e67151840d385819820673c382804cba9
SHA256e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306
SHA512bfcc27c47861ba491f0ac9504e6b96aa9bb30f6e45652d3840ae96830d9d29bec17e9b7ac17fc31c0ab04046dfd81c71d40376fbc8004307184bdf77b5d1f5f2
-
C:\Users\Admin\AppData\Local\Temp\game.exeFilesize
163KB
MD5baf33f6fa9571bd34abe6c5afde6768d
SHA10ce0c82e67151840d385819820673c382804cba9
SHA256e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306
SHA512bfcc27c47861ba491f0ac9504e6b96aa9bb30f6e45652d3840ae96830d9d29bec17e9b7ac17fc31c0ab04046dfd81c71d40376fbc8004307184bdf77b5d1f5f2
-
\Users\Admin\AppData\Local\Temp\game.exeFilesize
163KB
MD5baf33f6fa9571bd34abe6c5afde6768d
SHA10ce0c82e67151840d385819820673c382804cba9
SHA256e57d14f759dcbbeab3b91fff1fd171208ff6b68fe397764821282c57eb4b7306
SHA512bfcc27c47861ba491f0ac9504e6b96aa9bb30f6e45652d3840ae96830d9d29bec17e9b7ac17fc31c0ab04046dfd81c71d40376fbc8004307184bdf77b5d1f5f2
-
memory/672-57-0x0000000000000000-mapping.dmp
-
memory/672-62-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/672-64-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1352-54-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1352-55-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1352-61-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1692-63-0x0000000000000000-mapping.dmp