Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 01:32
Behavioral task
behavioral1
Sample
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe
Resource
win10v2004-20221111-en
General
-
Target
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe
-
Size
40KB
-
MD5
54804479a9d505013067bc3fa5de1d98
-
SHA1
99d0ae239cb09cc78c996d6db6a01ef37bca2866
-
SHA256
47ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
-
SHA512
d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
SSDEEP
384:8Pwz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZfB:8ETbC81NgRpcnu+
Malware Config
Extracted
njrat
0.7d
HacKed
gololosd.ddns.net:9090
151fd47f794ef2318b946b794bcd6603
-
reg_key
151fd47f794ef2318b946b794bcd6603
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\151fd47f794ef2318b946b794bcd6603.exe taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\151fd47f794ef2318b946b794bcd6603.exe taskmgr.exe -
Executes dropped EXE 1 IoCs
Processes:
taskmgr.exepid process 1328 taskmgr.exe -
Loads dropped DLL 2 IoCs
Processes:
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exepid process 1852 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe 1852 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskmgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\151fd47f794ef2318b946b794bcd6603 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe\" .." taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\151fd47f794ef2318b946b794bcd6603 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe\" .." taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe Token: 33 1328 taskmgr.exe Token: SeIncBasePriorityPrivilege 1328 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exetaskmgr.exedescription pid process target process PID 1852 wrote to memory of 1328 1852 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 1852 wrote to memory of 1328 1852 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 1852 wrote to memory of 1328 1852 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 1852 wrote to memory of 1328 1852 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 1328 wrote to memory of 788 1328 taskmgr.exe netsh.exe PID 1328 wrote to memory of 788 1328 taskmgr.exe netsh.exe PID 1328 wrote to memory of 788 1328 taskmgr.exe netsh.exe PID 1328 wrote to memory of 788 1328 taskmgr.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskmgr.exe" "taskmgr.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
40KB
MD554804479a9d505013067bc3fa5de1d98
SHA199d0ae239cb09cc78c996d6db6a01ef37bca2866
SHA25647ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
SHA512d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
40KB
MD554804479a9d505013067bc3fa5de1d98
SHA199d0ae239cb09cc78c996d6db6a01ef37bca2866
SHA25647ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
SHA512d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
40KB
MD554804479a9d505013067bc3fa5de1d98
SHA199d0ae239cb09cc78c996d6db6a01ef37bca2866
SHA25647ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
SHA512d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
40KB
MD554804479a9d505013067bc3fa5de1d98
SHA199d0ae239cb09cc78c996d6db6a01ef37bca2866
SHA25647ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
SHA512d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
memory/788-64-0x0000000000000000-mapping.dmp
-
memory/1328-58-0x0000000000000000-mapping.dmp
-
memory/1328-63-0x00000000745F0000-0x0000000074B9B000-memory.dmpFilesize
5.7MB
-
memory/1328-66-0x00000000745F0000-0x0000000074B9B000-memory.dmpFilesize
5.7MB
-
memory/1852-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1852-55-0x00000000745F0000-0x0000000074B9B000-memory.dmpFilesize
5.7MB
-
memory/1852-62-0x00000000745F0000-0x0000000074B9B000-memory.dmpFilesize
5.7MB