Analysis
-
max time kernel
44s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 13:54
Static task
static1
Behavioral task
behavioral1
Sample
12.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
12.exe
Resource
win10v2004-20221111-en
General
-
Target
12.exe
-
Size
2.3MB
-
MD5
03abd18550cc6a9d86e1b952b857ec6c
-
SHA1
22e6d070ebf2b35f53a025b734bc5bb504306607
-
SHA256
deec6b6b69cbec63d25876628c13cedf96e9efccc7a043fe5dfaf2f6c3615f67
-
SHA512
b98c39e80d200b3809778ae9b5d3113ff44c463fb18d6c4756f687d9e67c93256c2de86304399c6966715d3e29d99b8981da63a0d1f5095fe7cb15aa57b8f7da
-
SSDEEP
24576:z8oFnrj/BLDrrP9rkccneVkGpEwDN9fQbnOwqi0oTl7Q0aRtsDsfHQ+EgZC/Iio8:woF/BNrJAGaWrNbJMlk0aAWHzLZCq96
Malware Config
Extracted
njrat
v4.0
MyBot
winter-rd.at.ply.gg:26394
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 2 IoCs
Processes:
paylod.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk paylod.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 3 IoCs
Processes:
paylod.exeCustomEXE.exePayload.exepid process 1004 paylod.exe 1764 CustomEXE.exe 1680 Payload.exe -
Loads dropped DLL 6 IoCs
Processes:
12.exeCustomEXE.exepaylod.exepid process 1932 12.exe 1932 12.exe 1932 12.exe 1764 CustomEXE.exe 1004 paylod.exe 1004 paylod.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1764-69-0x0000000004F70000-0x0000000005162000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
paylod.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" paylod.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1680 Payload.exe Token: 33 1680 Payload.exe Token: SeIncBasePriorityPrivilege 1680 Payload.exe Token: 33 1680 Payload.exe Token: SeIncBasePriorityPrivilege 1680 Payload.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CustomEXE.exepid process 1764 CustomEXE.exe 1764 CustomEXE.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
12.exepaylod.exedescription pid process target process PID 1932 wrote to memory of 1004 1932 12.exe paylod.exe PID 1932 wrote to memory of 1004 1932 12.exe paylod.exe PID 1932 wrote to memory of 1004 1932 12.exe paylod.exe PID 1932 wrote to memory of 1004 1932 12.exe paylod.exe PID 1932 wrote to memory of 1764 1932 12.exe CustomEXE.exe PID 1932 wrote to memory of 1764 1932 12.exe CustomEXE.exe PID 1932 wrote to memory of 1764 1932 12.exe CustomEXE.exe PID 1932 wrote to memory of 1764 1932 12.exe CustomEXE.exe PID 1004 wrote to memory of 1680 1004 paylod.exe Payload.exe PID 1004 wrote to memory of 1680 1004 paylod.exe Payload.exe PID 1004 wrote to memory of 1680 1004 paylod.exe Payload.exe PID 1004 wrote to memory of 1680 1004 paylod.exe Payload.exe PID 1004 wrote to memory of 1692 1004 paylod.exe attrib.exe PID 1004 wrote to memory of 1692 1004 paylod.exe attrib.exe PID 1004 wrote to memory of 1692 1004 paylod.exe attrib.exe PID 1004 wrote to memory of 1692 1004 paylod.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paylod.exe"C:\Users\Admin\AppData\Local\Temp\paylod.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5570975d9b56607c9ef053a7acdb6e71f
SHA1e23902be991e788130a868f93c58b4a687d8232e
SHA2563155bcbd277e2d3d01b35dd7a17ae33bd4d36920072e90cd2dd5d52e90b20fd3
SHA512662ca5eaaa450c53aefa9db41441c53e1fb9aa8829c6308dd79212cdab590a32f70f983de0b395307b5e7fc4d3b6ad3875bb4dde3d59870e66a4f41a078a9575
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1022B
MD5e8d64d301906c134b17c4047851915da
SHA13c9364e09abf4ec04477807ad8a00b307f58380c
SHA256b3d019fddd107e30707f6f108af051d49a455abf7c8e8f9e4b49ffa032f0be22
SHA5127c5daa8923576b6649d45c65b019d1f68dab36d44ace83756106447404927a809dbfd9309ffc4d776c30c2c5de3fe2b8de4677a8e5ad4ba2cf8d3287b4a92cf4
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
\Users\Admin\AppData\Local\Temp\CustomEXE.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dllFilesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD5966a59574a110ede5ff4e489d278773a
SHA1427b1088d83cd7528a7e13d81a9688ce6c2b5261
SHA256940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c
SHA512480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30
-
memory/1004-64-0x0000000001140000-0x000000000114C000-memory.dmpFilesize
48KB
-
memory/1004-57-0x0000000000000000-mapping.dmp
-
memory/1680-80-0x0000000000090000-0x000000000009C000-memory.dmpFilesize
48KB
-
memory/1680-76-0x0000000000000000-mapping.dmp
-
memory/1692-79-0x0000000000000000-mapping.dmp
-
memory/1764-73-0x0000000000C67000-0x0000000000C78000-memory.dmpFilesize
68KB
-
memory/1764-72-0x0000000074240000-0x0000000074277000-memory.dmpFilesize
220KB
-
memory/1764-61-0x0000000000000000-mapping.dmp
-
memory/1764-71-0x00000000754D0000-0x0000000075550000-memory.dmpFilesize
512KB
-
memory/1764-69-0x0000000004F70000-0x0000000005162000-memory.dmpFilesize
1.9MB
-
memory/1764-66-0x0000000000ED0000-0x000000000107C000-memory.dmpFilesize
1.7MB
-
memory/1764-84-0x0000000074240000-0x0000000074277000-memory.dmpFilesize
220KB
-
memory/1932-65-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB
-
memory/1932-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB