Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 23:37
Static task
static1
Behavioral task
behavioral1
Sample
0c7e71cb15f3a654bd603ecc875126b5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0c7e71cb15f3a654bd603ecc875126b5.exe
Resource
win10v2004-20220812-en
General
-
Target
0c7e71cb15f3a654bd603ecc875126b5.exe
-
Size
25KB
-
MD5
0c7e71cb15f3a654bd603ecc875126b5
-
SHA1
86b9b8214a1f25c1c059201b89b0e058ccc24046
-
SHA256
697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb
-
SHA512
35608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9
-
SSDEEP
768:svp3Gwda1gHhRsSiBCyiEs81sByH6oCgmj:Q3Gwda1gBVOCyiYyBy3E
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
4.tcp.eu.ngrok.io:12433
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
Processes:
Sosipisyn.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Sosipisyn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Sosipisyn.exe -
Executes dropped EXE 1 IoCs
Processes:
Sosipisyn.exepid process 988 Sosipisyn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Sosipisyn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sosipisyn.exe\" .." Sosipisyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sosipisyn.exe\" .." Sosipisyn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Sosipisyn.exepid process 988 Sosipisyn.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Sosipisyn.exedescription pid process Token: SeDebugPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe Token: 33 988 Sosipisyn.exe Token: SeIncBasePriorityPrivilege 988 Sosipisyn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0c7e71cb15f3a654bd603ecc875126b5.exedescription pid process target process PID 2016 wrote to memory of 988 2016 0c7e71cb15f3a654bd603ecc875126b5.exe Sosipisyn.exe PID 2016 wrote to memory of 988 2016 0c7e71cb15f3a654bd603ecc875126b5.exe Sosipisyn.exe PID 2016 wrote to memory of 988 2016 0c7e71cb15f3a654bd603ecc875126b5.exe Sosipisyn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c7e71cb15f3a654bd603ecc875126b5.exe"C:\Users\Admin\AppData\Local\Temp\0c7e71cb15f3a654bd603ecc875126b5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sosipisyn.exe"C:\Users\Admin\AppData\Roaming\Sosipisyn.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Sosipisyn.exeFilesize
25KB
MD50c7e71cb15f3a654bd603ecc875126b5
SHA186b9b8214a1f25c1c059201b89b0e058ccc24046
SHA256697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb
SHA51235608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9
-
C:\Users\Admin\AppData\Roaming\Sosipisyn.exeFilesize
25KB
MD50c7e71cb15f3a654bd603ecc875126b5
SHA186b9b8214a1f25c1c059201b89b0e058ccc24046
SHA256697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb
SHA51235608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9
-
memory/988-57-0x0000000000000000-mapping.dmp
-
memory/988-60-0x0000000000B90000-0x0000000000B98000-memory.dmpFilesize
32KB
-
memory/2016-54-0x0000000000FF0000-0x0000000000FF8000-memory.dmpFilesize
32KB
-
memory/2016-55-0x0000000000140000-0x0000000000152000-memory.dmpFilesize
72KB
-
memory/2016-56-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB