Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 16:21
Behavioral task
behavioral1
Sample
a1a64f8671681ba96b48cfd025a42449.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a1a64f8671681ba96b48cfd025a42449.exe
Resource
win10v2004-20220812-en
General
-
Target
a1a64f8671681ba96b48cfd025a42449.exe
-
Size
27KB
-
MD5
a1a64f8671681ba96b48cfd025a42449
-
SHA1
13369f1d952151f24a50ab3506ad1541677f46e3
-
SHA256
6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
-
SHA512
d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
SSDEEP
384:EL0M2XwBNOaLNOFs/Av2yeCP1BBvMl7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaSy:St220U0Wl7A/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
Oliver
3.126.224.214:19586
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GeneratorV5Full.exepid process 768 GeneratorV5Full.exe -
Drops startup file 2 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exeGeneratorV5Full.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk a1a64f8671681ba96b48cfd025a42449.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk GeneratorV5Full.exe -
Loads dropped DLL 1 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exepid process 1672 a1a64f8671681ba96b48cfd025a42449.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GeneratorV5Full.exe" a1a64f8671681ba96b48cfd025a42449.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
GeneratorV5Full.exedescription pid process Token: SeDebugPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe Token: 33 768 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 768 GeneratorV5Full.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exedescription pid process target process PID 1672 wrote to memory of 768 1672 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 1672 wrote to memory of 768 1672 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 1672 wrote to memory of 768 1672 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 1672 wrote to memory of 768 1672 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 1672 wrote to memory of 1704 1672 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe PID 1672 wrote to memory of 1704 1672 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe PID 1672 wrote to memory of 1704 1672 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe PID 1672 wrote to memory of 1704 1672 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a64f8671681ba96b48cfd025a42449.exe"C:\Users\Admin\AppData\Local\Temp\a1a64f8671681ba96b48cfd025a42449.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exeFilesize
27KB
MD5a1a64f8671681ba96b48cfd025a42449
SHA113369f1d952151f24a50ab3506ad1541677f46e3
SHA2566e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
SHA512d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exeFilesize
27KB
MD5a1a64f8671681ba96b48cfd025a42449
SHA113369f1d952151f24a50ab3506ad1541677f46e3
SHA2566e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
SHA512d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c1452b52650e680e2944d95c147792c4
SHA1ea43c2c65dab0025bc6baf7204e53a753dd0040a
SHA2562b6435f7e773215e1baaebfc6a99248d4a2957a361f5d21116eda472e8b8a83b
SHA51222008295d0f01273bd10f913f2daf36dea199e7ba39c688b7aac7d7f0ac1696fe0563c24d611d538f0f177b6e97c723c95372d3b9a0148aea135a99507c7fbdb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1014B
MD50c43f3ae1462959c3b025fbc4b160134
SHA1e7663491e99fede430a82ec32158b53c7b79472e
SHA2568a86b2987e0ea6127f8f88520767b236d015287aa9d6bcaafc114eca95d32586
SHA5124e97ce677aba702c938700fc23452dc408058f68054a84de915861da90dc4a9f34650facaf04ec4beac150d4a56be8ff95aafe730ad010bbf1fadb6c484aa05c
-
\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exeFilesize
27KB
MD5a1a64f8671681ba96b48cfd025a42449
SHA113369f1d952151f24a50ab3506ad1541677f46e3
SHA2566e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
SHA512d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
memory/768-57-0x0000000000000000-mapping.dmp
-
memory/768-65-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/768-66-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1672-55-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1672-62-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1704-60-0x0000000000000000-mapping.dmp