Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:40
Behavioral task
behavioral1
Sample
74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe
Resource
win7-20220901-en
General
-
Target
74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe
-
Size
29KB
-
MD5
ea9f7bbea67a10ad317afc16e7f2e5ff
-
SHA1
714c4c88c7c4bde991ef85f4b7520acdfff6e51a
-
SHA256
74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd
-
SHA512
c9d73b430fb181f887a813e4801f070f127d2db78482d881f8f7fa149ef3a0fc13b8d34a8b4e8b263a1dd744c6c854ea84e303df6fa2fe93de8b1490d42842bb
-
SSDEEP
384:VCINl7rZt4AgSTnd5fGmjmumqD418+eYKGBsbh0w4wlAokw9OhgOL1vYRGOZzGZF:j7v4AgMdgmjAq8XeIBKh0p29SgRwF
Malware Config
Extracted
njrat
0.6.4
HacKed
xersqil237bvcxz.no-ip.biz:3344
fce30cd7a65bdc97987664ce1957aa4f
-
reg_key
fce30cd7a65bdc97987664ce1957aa4f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
networking.exepid process 1964 networking.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exepid process 828 74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
networking.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fce30cd7a65bdc97987664ce1957aa4f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\networking.exe\" .." networking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fce30cd7a65bdc97987664ce1957aa4f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\networking.exe\" .." networking.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
networking.exepid process 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe 1964 networking.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
networking.exedescription pid process Token: SeDebugPrivilege 1964 networking.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exenetworking.exedescription pid process target process PID 828 wrote to memory of 1964 828 74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe networking.exe PID 828 wrote to memory of 1964 828 74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe networking.exe PID 828 wrote to memory of 1964 828 74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe networking.exe PID 828 wrote to memory of 1964 828 74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe networking.exe PID 1964 wrote to memory of 1740 1964 networking.exe netsh.exe PID 1964 wrote to memory of 1740 1964 networking.exe netsh.exe PID 1964 wrote to memory of 1740 1964 networking.exe netsh.exe PID 1964 wrote to memory of 1740 1964 networking.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe"C:\Users\Admin\AppData\Local\Temp\74a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\networking.exe"C:\Users\Admin\AppData\Local\Temp\networking.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\networking.exe" "networking.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\networking.exeFilesize
29KB
MD5ea9f7bbea67a10ad317afc16e7f2e5ff
SHA1714c4c88c7c4bde991ef85f4b7520acdfff6e51a
SHA25674a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd
SHA512c9d73b430fb181f887a813e4801f070f127d2db78482d881f8f7fa149ef3a0fc13b8d34a8b4e8b263a1dd744c6c854ea84e303df6fa2fe93de8b1490d42842bb
-
C:\Users\Admin\AppData\Local\Temp\networking.exeFilesize
29KB
MD5ea9f7bbea67a10ad317afc16e7f2e5ff
SHA1714c4c88c7c4bde991ef85f4b7520acdfff6e51a
SHA25674a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd
SHA512c9d73b430fb181f887a813e4801f070f127d2db78482d881f8f7fa149ef3a0fc13b8d34a8b4e8b263a1dd744c6c854ea84e303df6fa2fe93de8b1490d42842bb
-
\Users\Admin\AppData\Local\Temp\networking.exeFilesize
29KB
MD5ea9f7bbea67a10ad317afc16e7f2e5ff
SHA1714c4c88c7c4bde991ef85f4b7520acdfff6e51a
SHA25674a5948174017d683d2effaef9fea6c24ad17203dc5b5066aa3317381f39c5cd
SHA512c9d73b430fb181f887a813e4801f070f127d2db78482d881f8f7fa149ef3a0fc13b8d34a8b4e8b263a1dd744c6c854ea84e303df6fa2fe93de8b1490d42842bb
-
memory/828-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/828-55-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/828-61-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/1740-62-0x0000000000000000-mapping.dmp
-
memory/1964-57-0x0000000000000000-mapping.dmp
-
memory/1964-63-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/1964-65-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB