Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:43
Behavioral task
behavioral1
Sample
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe
Resource
win10v2004-20220812-en
General
-
Target
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe
-
Size
23KB
-
MD5
74780f3763b7d5b363fef25920dbadb9
-
SHA1
8c6de60d4b88c9b5157acdd94e50d9495f45ceaf
-
SHA256
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
-
SHA512
132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
SSDEEP
384:vcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZBu:030py6vhxaRpcnuD
Malware Config
Extracted
njrat
0.7d
HacKed
fuzzyhf.duckdns.org:83
f5745fbc2df9d21e00fadcaa45b4b04a
-
reg_key
f5745fbc2df9d21e00fadcaa45b4b04a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
msconfig.exepid process 432 msconfig.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
msconfig.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5745fbc2df9d21e00fadcaa45b4b04a.exe msconfig.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5745fbc2df9d21e00fadcaa45b4b04a.exe msconfig.exe -
Loads dropped DLL 1 IoCs
Processes:
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exepid process 1188 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msconfig.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5745fbc2df9d21e00fadcaa45b4b04a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msconfig.exe\" .." msconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5745fbc2df9d21e00fadcaa45b4b04a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msconfig.exe\" .." msconfig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
msconfig.exedescription pid process Token: SeDebugPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe Token: 33 432 msconfig.exe Token: SeIncBasePriorityPrivilege 432 msconfig.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exemsconfig.exedescription pid process target process PID 1188 wrote to memory of 432 1188 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 1188 wrote to memory of 432 1188 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 1188 wrote to memory of 432 1188 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 1188 wrote to memory of 432 1188 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 432 wrote to memory of 1476 432 msconfig.exe netsh.exe PID 432 wrote to memory of 1476 432 msconfig.exe netsh.exe PID 432 wrote to memory of 1476 432 msconfig.exe netsh.exe PID 432 wrote to memory of 1476 432 msconfig.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe"C:\Users\Admin\AppData\Local\Temp\e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msconfig.exe"C:\Users\Admin\AppData\Local\Temp\msconfig.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\msconfig.exe" "msconfig.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msconfig.exeFilesize
23KB
MD574780f3763b7d5b363fef25920dbadb9
SHA18c6de60d4b88c9b5157acdd94e50d9495f45ceaf
SHA256e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
SHA512132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
C:\Users\Admin\AppData\Local\Temp\msconfig.exeFilesize
23KB
MD574780f3763b7d5b363fef25920dbadb9
SHA18c6de60d4b88c9b5157acdd94e50d9495f45ceaf
SHA256e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
SHA512132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
\Users\Admin\AppData\Local\Temp\msconfig.exeFilesize
23KB
MD574780f3763b7d5b363fef25920dbadb9
SHA18c6de60d4b88c9b5157acdd94e50d9495f45ceaf
SHA256e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
SHA512132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
memory/432-57-0x0000000000000000-mapping.dmp
-
memory/432-62-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/432-65-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1188-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1188-55-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1188-61-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1476-63-0x0000000000000000-mapping.dmp