Analysis
-
max time kernel
176s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe
Resource
win10v2004-20221111-en
General
-
Target
58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe
-
Size
1.9MB
-
MD5
38ea6558716e1b9a30a34436921f3d75
-
SHA1
ad17715a31b524a1c215bd4c8399e24123f30d16
-
SHA256
58948898805076345eb046014a3c10649156088a1529d325220217afc752b077
-
SHA512
9537c6972021a47296fc7150fb5babe538cb11f5d3a7c6d4955f402c2ef57a971e93d00847519f1599387e91adf62bfcceac5e90e19fef4c56ab781cae84d650
-
SSDEEP
12288:Vb6e32OKSj+TMb6GOCAUzltY8OMcHdDDbtb0r1KKUCUgxV3378For7OlBgRlvj9L:YtT/OH65WxYFZExj9//k//Ic
Malware Config
Extracted
njrat
0.7d
haked
kazimalia100.ddns.net:5552
dffedddd32431063c53a5e694a9739a2
-
reg_key
dffedddd32431063c53a5e694a9739a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
VnHaxInjector-PUBGM.exepid process 580 VnHaxInjector-PUBGM.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
VnHaxInjector-PUBGM.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dffedddd32431063c53a5e694a9739a2.exe VnHaxInjector-PUBGM.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dffedddd32431063c53a5e694a9739a2.exe VnHaxInjector-PUBGM.exe -
Loads dropped DLL 1 IoCs
Processes:
58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exepid process 1252 58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
VnHaxInjector-PUBGM.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dffedddd32431063c53a5e694a9739a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VnHaxInjector-PUBGM.exe\" .." VnHaxInjector-PUBGM.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\dffedddd32431063c53a5e694a9739a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VnHaxInjector-PUBGM.exe\" .." VnHaxInjector-PUBGM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
VnHaxInjector-PUBGM.exedescription pid process Token: SeDebugPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe Token: 33 580 VnHaxInjector-PUBGM.exe Token: SeIncBasePriorityPrivilege 580 VnHaxInjector-PUBGM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exeVnHaxInjector-PUBGM.exedescription pid process target process PID 1252 wrote to memory of 580 1252 58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe VnHaxInjector-PUBGM.exe PID 1252 wrote to memory of 580 1252 58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe VnHaxInjector-PUBGM.exe PID 1252 wrote to memory of 580 1252 58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe VnHaxInjector-PUBGM.exe PID 1252 wrote to memory of 580 1252 58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe VnHaxInjector-PUBGM.exe PID 580 wrote to memory of 1544 580 VnHaxInjector-PUBGM.exe netsh.exe PID 580 wrote to memory of 1544 580 VnHaxInjector-PUBGM.exe netsh.exe PID 580 wrote to memory of 1544 580 VnHaxInjector-PUBGM.exe netsh.exe PID 580 wrote to memory of 1544 580 VnHaxInjector-PUBGM.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe"C:\Users\Admin\AppData\Local\Temp\58948898805076345eb046014a3c10649156088a1529d325220217afc752b077.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\VnHaxInjector-PUBGM.exe"C:\Users\Admin\AppData\Local\Temp\VnHaxInjector-PUBGM.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\VnHaxInjector-PUBGM.exe" "VnHaxInjector-PUBGM.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VnHaxInjector-PUBGM.exeFilesize
1.9MB
MD538ea6558716e1b9a30a34436921f3d75
SHA1ad17715a31b524a1c215bd4c8399e24123f30d16
SHA25658948898805076345eb046014a3c10649156088a1529d325220217afc752b077
SHA5129537c6972021a47296fc7150fb5babe538cb11f5d3a7c6d4955f402c2ef57a971e93d00847519f1599387e91adf62bfcceac5e90e19fef4c56ab781cae84d650
-
C:\Users\Admin\AppData\Local\Temp\VnHaxInjector-PUBGM.exeFilesize
1.9MB
MD538ea6558716e1b9a30a34436921f3d75
SHA1ad17715a31b524a1c215bd4c8399e24123f30d16
SHA25658948898805076345eb046014a3c10649156088a1529d325220217afc752b077
SHA5129537c6972021a47296fc7150fb5babe538cb11f5d3a7c6d4955f402c2ef57a971e93d00847519f1599387e91adf62bfcceac5e90e19fef4c56ab781cae84d650
-
\Users\Admin\AppData\Local\Temp\VnHaxInjector-PUBGM.exeFilesize
1.9MB
MD538ea6558716e1b9a30a34436921f3d75
SHA1ad17715a31b524a1c215bd4c8399e24123f30d16
SHA25658948898805076345eb046014a3c10649156088a1529d325220217afc752b077
SHA5129537c6972021a47296fc7150fb5babe538cb11f5d3a7c6d4955f402c2ef57a971e93d00847519f1599387e91adf62bfcceac5e90e19fef4c56ab781cae84d650
-
memory/580-60-0x0000000000000000-mapping.dmp
-
memory/580-63-0x0000000001090000-0x0000000001276000-memory.dmpFilesize
1.9MB
-
memory/580-64-0x0000000000950000-0x00000000009B4000-memory.dmpFilesize
400KB
-
memory/1252-54-0x0000000000020000-0x0000000000206000-memory.dmpFilesize
1.9MB
-
memory/1252-55-0x0000000000860000-0x00000000008D0000-memory.dmpFilesize
448KB
-
memory/1252-56-0x0000000004950000-0x00000000049B4000-memory.dmpFilesize
400KB
-
memory/1252-57-0x0000000004F90000-0x0000000004FE8000-memory.dmpFilesize
352KB
-
memory/1252-58-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB
-
memory/1544-65-0x0000000000000000-mapping.dmp