Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 08:00
Behavioral task
behavioral1
Sample
406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe
Resource
win10v2004-20221111-en
General
-
Target
406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe
-
Size
36KB
-
MD5
3f372e7a22a7a5c24e5f474de961639b
-
SHA1
0da76f4e4c8745ce09cc4c5d875c50148dab8e88
-
SHA256
406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c
-
SHA512
652902d51aaef62323e8d0096b48b6a3be733ebfe77fec3fce6d67bf5dde12634c8f6f71c9501959a35e9232abd9a78881e886849f49f9fef9f170b57eea25ba
-
SSDEEP
384:dI2SUwXh0ZbAzlRGCvkodj46hgHK0hrV5mRvR6JZlbw8hqIusZzZEChEJlbz602c:CbhEkdvXRpcnuchEJVzcJAaOu0GG
Malware Config
Extracted
njrat
0.7d
Subway Surfers
daiodsaber.no-ip.biz:5552
b9da61d8a029b19f539cf3803f98e1cd
-
reg_key
b9da61d8a029b19f539cf3803f98e1cd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Subway Surfers.exepid process 1772 Subway Surfers.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Subway Surfers.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9da61d8a029b19f539cf3803f98e1cd.exe Subway Surfers.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9da61d8a029b19f539cf3803f98e1cd.exe Subway Surfers.exe -
Loads dropped DLL 1 IoCs
Processes:
406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exepid process 1348 406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Subway Surfers.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9da61d8a029b19f539cf3803f98e1cd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Subway Surfers.exe\" .." Subway Surfers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b9da61d8a029b19f539cf3803f98e1cd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Subway Surfers.exe\" .." Subway Surfers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Subway Surfers.exedescription pid process Token: SeDebugPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe Token: 33 1772 Subway Surfers.exe Token: SeIncBasePriorityPrivilege 1772 Subway Surfers.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exeSubway Surfers.exedescription pid process target process PID 1348 wrote to memory of 1772 1348 406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe Subway Surfers.exe PID 1348 wrote to memory of 1772 1348 406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe Subway Surfers.exe PID 1348 wrote to memory of 1772 1348 406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe Subway Surfers.exe PID 1348 wrote to memory of 1772 1348 406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe Subway Surfers.exe PID 1772 wrote to memory of 432 1772 Subway Surfers.exe netsh.exe PID 1772 wrote to memory of 432 1772 Subway Surfers.exe netsh.exe PID 1772 wrote to memory of 432 1772 Subway Surfers.exe netsh.exe PID 1772 wrote to memory of 432 1772 Subway Surfers.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe"C:\Users\Admin\AppData\Local\Temp\406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\Subway Surfers.exe"C:\Users\Admin\AppData\Local\Temp\Subway Surfers.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Subway Surfers.exe" "Subway Surfers.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Subway Surfers.exeFilesize
36KB
MD53f372e7a22a7a5c24e5f474de961639b
SHA10da76f4e4c8745ce09cc4c5d875c50148dab8e88
SHA256406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c
SHA512652902d51aaef62323e8d0096b48b6a3be733ebfe77fec3fce6d67bf5dde12634c8f6f71c9501959a35e9232abd9a78881e886849f49f9fef9f170b57eea25ba
-
C:\Users\Admin\AppData\Local\Temp\Subway Surfers.exeFilesize
36KB
MD53f372e7a22a7a5c24e5f474de961639b
SHA10da76f4e4c8745ce09cc4c5d875c50148dab8e88
SHA256406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c
SHA512652902d51aaef62323e8d0096b48b6a3be733ebfe77fec3fce6d67bf5dde12634c8f6f71c9501959a35e9232abd9a78881e886849f49f9fef9f170b57eea25ba
-
\Users\Admin\AppData\Local\Temp\Subway Surfers.exeFilesize
36KB
MD53f372e7a22a7a5c24e5f474de961639b
SHA10da76f4e4c8745ce09cc4c5d875c50148dab8e88
SHA256406e919f118006fd7175c0e2df9cb329bdcca29ac0086638c4599f133c16547c
SHA512652902d51aaef62323e8d0096b48b6a3be733ebfe77fec3fce6d67bf5dde12634c8f6f71c9501959a35e9232abd9a78881e886849f49f9fef9f170b57eea25ba
-
memory/432-63-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1348-55-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1348-61-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1772-57-0x0000000000000000-mapping.dmp
-
memory/1772-62-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1772-65-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB