Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 16:57
Behavioral task
behavioral1
Sample
onling.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
onling.exe
Resource
win10v2004-20220812-en
General
-
Target
onling.exe
-
Size
23KB
-
MD5
e49ba092469c2d5813bdf3259050f977
-
SHA1
1d65cb5388cfc4ae2f91531e8dcb3b1caa598076
-
SHA256
8eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
-
SHA512
5463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
SSDEEP
384:4+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZNc:nm+71d5XRpcnu5
Malware Config
Extracted
njrat
0.7d
dofus
volkov2014.ddns.net:123
3634b8c969047b1aa244e63e9c21a96a
-
reg_key
3634b8c969047b1aa244e63e9c21a96a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 984 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
onling.exepid process 836 onling.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\3634b8c969047b1aa244e63e9c21a96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3634b8c969047b1aa244e63e9c21a96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe Token: 33 984 server.exe Token: SeIncBasePriorityPrivilege 984 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
onling.exeserver.exedescription pid process target process PID 836 wrote to memory of 984 836 onling.exe server.exe PID 836 wrote to memory of 984 836 onling.exe server.exe PID 836 wrote to memory of 984 836 onling.exe server.exe PID 836 wrote to memory of 984 836 onling.exe server.exe PID 984 wrote to memory of 816 984 server.exe netsh.exe PID 984 wrote to memory of 816 984 server.exe netsh.exe PID 984 wrote to memory of 816 984 server.exe netsh.exe PID 984 wrote to memory of 816 984 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\onling.exe"C:\Users\Admin\AppData\Local\Temp\onling.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5e49ba092469c2d5813bdf3259050f977
SHA11d65cb5388cfc4ae2f91531e8dcb3b1caa598076
SHA2568eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
SHA5125463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5e49ba092469c2d5813bdf3259050f977
SHA11d65cb5388cfc4ae2f91531e8dcb3b1caa598076
SHA2568eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
SHA5125463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5e49ba092469c2d5813bdf3259050f977
SHA11d65cb5388cfc4ae2f91531e8dcb3b1caa598076
SHA2568eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
SHA5125463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
memory/816-63-0x0000000000000000-mapping.dmp
-
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/836-55-0x0000000074B30000-0x00000000750DB000-memory.dmpFilesize
5.7MB
-
memory/836-61-0x0000000074B30000-0x00000000750DB000-memory.dmpFilesize
5.7MB
-
memory/984-57-0x0000000000000000-mapping.dmp
-
memory/984-62-0x0000000074B30000-0x00000000750DB000-memory.dmpFilesize
5.7MB
-
memory/984-65-0x0000000074B30000-0x00000000750DB000-memory.dmpFilesize
5.7MB