Analysis
-
max time kernel
229s -
max time network
304s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 08:43
Static task
static1
Behavioral task
behavioral1
Sample
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe
Resource
win10v2004-20220812-en
General
-
Target
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe
-
Size
1.3MB
-
MD5
583b5a81dcfd0874e7143cd8afeb00ca
-
SHA1
34de7fee57a3031cf1fcf06b08676a8ef6ec618e
-
SHA256
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511
-
SHA512
4a691ffefa1b568803fadd348a305b5bbd3d2334e239161ef1dcb065be2a81513d03a9b57632f32a0e53cf71ef1f2a3aed3ea8fb24e2ed3dfd110c93681a7c42
-
SSDEEP
24576:AVnys45NP7/uDG4w1K7/+tNdBZyf/t5chYdru8tGtx/NH6tObd3/poiJHvQtM+:Bs4X7iG4hqtNPY5caNC/NEO1WTf
Malware Config
Extracted
njrat
0.7d
HacKed
hhh12.ddns.net:2004
2db97f87111f590c0aecc4ee6a32b917
-
reg_key
2db97f87111f590c0aecc4ee6a32b917
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
h.exeGoogle.exeODIN3V~1.EXEpid process 1648 h.exe 1356 Google.exe 824 ODIN3V~1.EXE -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Google.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2db97f87111f590c0aecc4ee6a32b917.exe Google.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2db97f87111f590c0aecc4ee6a32b917.exe Google.exe -
Loads dropped DLL 2 IoCs
Processes:
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exeh.exepid process 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe 1648 h.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exeGoogle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\2db97f87111f590c0aecc4ee6a32b917 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google.exe\" .." Google.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2db97f87111f590c0aecc4ee6a32b917 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google.exe\" .." Google.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
h.exeGoogle.exedescription pid process Token: SeDebugPrivilege 1648 h.exe Token: SeDebugPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe Token: 33 1356 Google.exe Token: SeIncBasePriorityPrivilege 1356 Google.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ODIN3V~1.EXEpid process 824 ODIN3V~1.EXE 824 ODIN3V~1.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exeh.exeGoogle.exedescription pid process target process PID 1944 wrote to memory of 1648 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe h.exe PID 1944 wrote to memory of 1648 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe h.exe PID 1944 wrote to memory of 1648 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe h.exe PID 1648 wrote to memory of 1356 1648 h.exe Google.exe PID 1648 wrote to memory of 1356 1648 h.exe Google.exe PID 1648 wrote to memory of 1356 1648 h.exe Google.exe PID 1944 wrote to memory of 824 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 1944 wrote to memory of 824 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 1944 wrote to memory of 824 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 1944 wrote to memory of 824 1944 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 1356 wrote to memory of 1492 1356 Google.exe netsh.exe PID 1356 wrote to memory of 1492 1356 Google.exe netsh.exe PID 1356 wrote to memory of 1492 1356 Google.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe"C:\Users\Admin\AppData\Local\Temp\55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Google.exe"C:\Users\Admin\AppData\Roaming\Google.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Google.exe" "Google.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXEFilesize
3.1MB
MD59f648eb7a02ad92596b9db897dc8eb8a
SHA17a09eaf50e540302b33a3dfe572b1a92958f5a42
SHA25642f9e3a2562b2f115ec0be0da6368f16ac38f26d39b3147be3ccae635b303135
SHA51251eff5451da92ff03a490ea55f6328a2b2e4438d603b05296fd5852b71ff324656b51f92424ed41e435fad71b1ec0b7f396a70bfc0ef5e5b504454d74ec6f97f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
C:\Users\Admin\AppData\Roaming\Google.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
C:\Users\Admin\AppData\Roaming\Google.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
\Users\Admin\AppData\Roaming\Google.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
memory/824-67-0x0000000000000000-mapping.dmp
-
memory/824-69-0x0000000075671000-0x0000000075673000-memory.dmpFilesize
8KB
-
memory/1356-63-0x0000000000000000-mapping.dmp
-
memory/1356-66-0x0000000000A20000-0x0000000000A30000-memory.dmpFilesize
64KB
-
memory/1492-70-0x0000000000000000-mapping.dmp
-
memory/1648-60-0x0000000000360000-0x000000000036C000-memory.dmpFilesize
48KB
-
memory/1648-59-0x0000000000F20000-0x0000000000F30000-memory.dmpFilesize
64KB
-
memory/1648-56-0x0000000000000000-mapping.dmp
-
memory/1944-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB