Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:51
Behavioral task
behavioral1
Sample
3fbb433c5836c281166a1b513483d192.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3fbb433c5836c281166a1b513483d192.exe
Resource
win10v2004-20221111-en
General
-
Target
3fbb433c5836c281166a1b513483d192.exe
-
Size
385KB
-
MD5
3fbb433c5836c281166a1b513483d192
-
SHA1
659ae1de8a8026ed1c39d606f3d71dcf02da50d9
-
SHA256
2b178a6e38b12767d5032d4f265e6f6e6491a4e6dd7932000da44daadb276dd6
-
SHA512
7dca1d409c10d88296c20d01694bbfc0c045bf2c648abe29459b8a4839621ee95a6e3a26824c97de2f40902083e2d98d13d9d682e2da8e60553568f30f031be4
-
SSDEEP
6144:IHPiCekjRG4Pt5H0PpTjzyHhJ1qL47mj3C:FCeyNT1qs7m
Malware Config
Extracted
njrat
0.7d
aimbot injetavel (macro)
donaldsvip1234.ddns.net:1177
f688b827a43e9e4ecb105692c7327b94
-
reg_key
f688b827a43e9e4ecb105692c7327b94
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Ahk.exepid process 988 Ahk.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Ahk.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f688b827a43e9e4ecb105692c7327b94.exe Ahk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f688b827a43e9e4ecb105692c7327b94.exe Ahk.exe -
Loads dropped DLL 1 IoCs
Processes:
3fbb433c5836c281166a1b513483d192.exepid process 1032 3fbb433c5836c281166a1b513483d192.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Ahk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\f688b827a43e9e4ecb105692c7327b94 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ahk.exe\" .." Ahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f688b827a43e9e4ecb105692c7327b94 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ahk.exe\" .." Ahk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Ahk.exedescription pid process Token: SeDebugPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe Token: 33 988 Ahk.exe Token: SeIncBasePriorityPrivilege 988 Ahk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3fbb433c5836c281166a1b513483d192.exeAhk.exedescription pid process target process PID 1032 wrote to memory of 988 1032 3fbb433c5836c281166a1b513483d192.exe Ahk.exe PID 1032 wrote to memory of 988 1032 3fbb433c5836c281166a1b513483d192.exe Ahk.exe PID 1032 wrote to memory of 988 1032 3fbb433c5836c281166a1b513483d192.exe Ahk.exe PID 1032 wrote to memory of 988 1032 3fbb433c5836c281166a1b513483d192.exe Ahk.exe PID 988 wrote to memory of 1764 988 Ahk.exe netsh.exe PID 988 wrote to memory of 1764 988 Ahk.exe netsh.exe PID 988 wrote to memory of 1764 988 Ahk.exe netsh.exe PID 988 wrote to memory of 1764 988 Ahk.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fbb433c5836c281166a1b513483d192.exe"C:\Users\Admin\AppData\Local\Temp\3fbb433c5836c281166a1b513483d192.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Roaming\Ahk.exe"C:\Users\Admin\AppData\Roaming\Ahk.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Ahk.exe" "Ahk.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Ahk.exeFilesize
385KB
MD53fbb433c5836c281166a1b513483d192
SHA1659ae1de8a8026ed1c39d606f3d71dcf02da50d9
SHA2562b178a6e38b12767d5032d4f265e6f6e6491a4e6dd7932000da44daadb276dd6
SHA5127dca1d409c10d88296c20d01694bbfc0c045bf2c648abe29459b8a4839621ee95a6e3a26824c97de2f40902083e2d98d13d9d682e2da8e60553568f30f031be4
-
C:\Users\Admin\AppData\Roaming\Ahk.exeFilesize
385KB
MD53fbb433c5836c281166a1b513483d192
SHA1659ae1de8a8026ed1c39d606f3d71dcf02da50d9
SHA2562b178a6e38b12767d5032d4f265e6f6e6491a4e6dd7932000da44daadb276dd6
SHA5127dca1d409c10d88296c20d01694bbfc0c045bf2c648abe29459b8a4839621ee95a6e3a26824c97de2f40902083e2d98d13d9d682e2da8e60553568f30f031be4
-
\Users\Admin\AppData\Roaming\Ahk.exeFilesize
385KB
MD53fbb433c5836c281166a1b513483d192
SHA1659ae1de8a8026ed1c39d606f3d71dcf02da50d9
SHA2562b178a6e38b12767d5032d4f265e6f6e6491a4e6dd7932000da44daadb276dd6
SHA5127dca1d409c10d88296c20d01694bbfc0c045bf2c648abe29459b8a4839621ee95a6e3a26824c97de2f40902083e2d98d13d9d682e2da8e60553568f30f031be4
-
memory/988-57-0x0000000000000000-mapping.dmp
-
memory/988-62-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/988-63-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/1032-54-0x0000000076711000-0x0000000076713000-memory.dmpFilesize
8KB
-
memory/1032-55-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/1032-61-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/1764-64-0x0000000000000000-mapping.dmp