Analysis
-
max time kernel
149s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 17:39
Static task
static1
Behavioral task
behavioral1
Sample
8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe
Resource
win10v2004-20221111-en
General
-
Target
8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe
-
Size
251KB
-
MD5
8d493ee0b7d0e583917627629c944558
-
SHA1
293b4a60311ae615c4145879e810ea7646602b53
-
SHA256
8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc
-
SHA512
44ec0354d0222fa9ea6ef998c80841bb3b387b4cad80818b06700a04f248854e4c2d7352780095657c1a4342310b67e0f993278a8072e51c1f099c9e71b5aa98
-
SSDEEP
3072:DKKEi+8d31/oMP5eoNZK5uHI9D5GgcBB40ICqsySuUgAUUCYi:DKKCy1/oMPcoNHIV5sBK0I4TJCY
Malware Config
Extracted
njrat
0.6.4
saleh
freepage.sytes.net:1177
6e1ce27bcc6ff5920e6f5b65cc3a57bd
-
reg_key
6e1ce27bcc6ff5920e6f5b65cc3a57bd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 624 services.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
services.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e1ce27bcc6ff5920e6f5b65cc3a57bd.exe services.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e1ce27bcc6ff5920e6f5b65cc3a57bd.exe services.exe -
Loads dropped DLL 1 IoCs
Processes:
8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exepid process 1256 8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\6e1ce27bcc6ff5920e6f5b65cc3a57bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe\" .." services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6e1ce27bcc6ff5920e6f5b65cc3a57bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe\" .." services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
services.exepid process 624 services.exe 624 services.exe 624 services.exe 624 services.exe 624 services.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
services.exedescription pid process Token: SeDebugPrivilege 624 services.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exeservices.exedescription pid process target process PID 1256 wrote to memory of 624 1256 8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe services.exe PID 1256 wrote to memory of 624 1256 8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe services.exe PID 1256 wrote to memory of 624 1256 8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe services.exe PID 1256 wrote to memory of 624 1256 8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe services.exe PID 624 wrote to memory of 1412 624 services.exe netsh.exe PID 624 wrote to memory of 1412 624 services.exe netsh.exe PID 624 wrote to memory of 1412 624 services.exe netsh.exe PID 624 wrote to memory of 1412 624 services.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe"C:\Users\Admin\AppData\Local\Temp\8d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\services.exe"C:\Users\Admin\AppData\Local\Temp\services.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\services.exe" "services.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\services.exeFilesize
251KB
MD58d493ee0b7d0e583917627629c944558
SHA1293b4a60311ae615c4145879e810ea7646602b53
SHA2568d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc
SHA51244ec0354d0222fa9ea6ef998c80841bb3b387b4cad80818b06700a04f248854e4c2d7352780095657c1a4342310b67e0f993278a8072e51c1f099c9e71b5aa98
-
C:\Users\Admin\AppData\Local\Temp\services.exeFilesize
251KB
MD58d493ee0b7d0e583917627629c944558
SHA1293b4a60311ae615c4145879e810ea7646602b53
SHA2568d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc
SHA51244ec0354d0222fa9ea6ef998c80841bb3b387b4cad80818b06700a04f248854e4c2d7352780095657c1a4342310b67e0f993278a8072e51c1f099c9e71b5aa98
-
\Users\Admin\AppData\Local\Temp\services.exeFilesize
251KB
MD58d493ee0b7d0e583917627629c944558
SHA1293b4a60311ae615c4145879e810ea7646602b53
SHA2568d7a692207eeb5b954bc28e7a5dac677295ce732fd4f7bea83ec98f6477417fc
SHA51244ec0354d0222fa9ea6ef998c80841bb3b387b4cad80818b06700a04f248854e4c2d7352780095657c1a4342310b67e0f993278a8072e51c1f099c9e71b5aa98
-
memory/624-58-0x0000000000000000-mapping.dmp
-
memory/624-61-0x00000000000A0000-0x00000000000E6000-memory.dmpFilesize
280KB
-
memory/1256-54-0x0000000000CA0000-0x0000000000CE6000-memory.dmpFilesize
280KB
-
memory/1256-55-0x0000000000480000-0x000000000048E000-memory.dmpFilesize
56KB
-
memory/1256-56-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1412-62-0x0000000000000000-mapping.dmp