Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
31-01-2023 08:41
Behavioral task
behavioral1
Sample
abef5960fcda8c82d1fdbb291e7a9012.exe
Resource
win7-20221111-en
General
-
Target
abef5960fcda8c82d1fdbb291e7a9012.exe
-
Size
472KB
-
MD5
abef5960fcda8c82d1fdbb291e7a9012
-
SHA1
84e03cd48d7fec40753fc1226c88013f39bedcc0
-
SHA256
2ab90c3a95b4caa67473c8ac945ce0b69ae3b7d5778bd431214900812ab6fb3f
-
SHA512
10a92617477010bfb1550fdecc7f8dbd16b7debd6916b9c683e24931960f5aef1434f5346d1341c5bd77599267eee259e9f047565df32dc55a4be71302a5e515
-
SSDEEP
12288:u/N73EBM32LTQ9/hFou9SoUEZkmNlYX07i:u/N463oKrou/vZkmv3
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
HacK
0.tcp.in.ngrok.io:11408
f98d9d08ffb40400218be2d9b125d7d3
-
reg_key
f98d9d08ffb40400218be2d9b125d7d3
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalStaFvjUblU.exehoodies.exepid process 2012 LocalStaFvjUblU.exe 1584 hoodies.exe -
Loads dropped DLL 1 IoCs
Processes:
LocalStaFvjUblU.exepid process 2012 LocalStaFvjUblU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LocalStaFvjUblU.exepid process 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe 2012 LocalStaFvjUblU.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
LocalStaFvjUblU.exehoodies.exedescription pid process Token: SeDebugPrivilege 2012 LocalStaFvjUblU.exe Token: SeDebugPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe Token: 33 1584 hoodies.exe Token: SeIncBasePriorityPrivilege 1584 hoodies.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
abef5960fcda8c82d1fdbb291e7a9012.exeLocalStaFvjUblU.exedescription pid process target process PID 1108 wrote to memory of 2012 1108 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 1108 wrote to memory of 2012 1108 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 1108 wrote to memory of 2012 1108 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 1108 wrote to memory of 2012 1108 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 2012 wrote to memory of 1584 2012 LocalStaFvjUblU.exe hoodies.exe PID 2012 wrote to memory of 1584 2012 LocalStaFvjUblU.exe hoodies.exe PID 2012 wrote to memory of 1584 2012 LocalStaFvjUblU.exe hoodies.exe PID 2012 wrote to memory of 1584 2012 LocalStaFvjUblU.exe hoodies.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abef5960fcda8c82d1fdbb291e7a9012.exe"C:\Users\Admin\AppData\Local\Temp\abef5960fcda8c82d1fdbb291e7a9012.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalStaFvjUblU.exe"C:\Users\Admin\AppData\LocalStaFvjUblU.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\hoodies.exe"C:\Users\Admin\hoodies.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalStaFvjUblU.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\AppData\LocalStaFvjUblU.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
memory/1108-55-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmpFilesize
8KB
-
memory/1108-54-0x000007FEF47F0000-0x000007FEF5213000-memory.dmpFilesize
10.1MB
-
memory/1108-60-0x000000001AE70000-0x000000001AE80000-memory.dmpFilesize
64KB
-
memory/1584-69-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1584-67-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1584-63-0x0000000000000000-mapping.dmp
-
memory/2012-56-0x0000000000000000-mapping.dmp
-
memory/2012-68-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2012-61-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2012-59-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB