Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 20:38
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20230220-en
General
-
Target
sample.exe
-
Size
4.6MB
-
MD5
7e8ba9fb61fa408145919b871075e1c9
-
SHA1
d166c427649f37085719c0591fb0b8da077dc0db
-
SHA256
3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
-
SHA512
3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
-
SSDEEP
49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8
Malware Config
Extracted
njrat
v2.0
HacKed
vesperiskindagoated.hopto.org:5552
WSecurityKey
-
reg_key
WSecurityKey
-
splitter
|-F-|
Signatures
-
Drops startup file 5 IoCs
Processes:
paylod.exePayload.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk paylod.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe attrib.exe -
Executes dropped EXE 3 IoCs
Processes:
paylod.exeMercurial.exePayload.exepid process 780 paylod.exe 688 Mercurial.exe 1112 Payload.exe -
Loads dropped DLL 5 IoCs
Processes:
sample.exepaylod.exepid process 924 sample.exe 924 sample.exe 924 sample.exe 780 paylod.exe 780 paylod.exe -
Obfuscated with Agile.Net obfuscator 12 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/688-76-0x00000000003D0000-0x00000000003EC000-memory.dmp agile_net behavioral1/memory/688-77-0x00000000003F0000-0x0000000000410000-memory.dmp agile_net behavioral1/memory/688-78-0x00000000005C0000-0x00000000005E0000-memory.dmp agile_net behavioral1/memory/688-79-0x0000000004BF0000-0x0000000004C30000-memory.dmp agile_net behavioral1/memory/688-80-0x00000000005E0000-0x00000000005F0000-memory.dmp agile_net behavioral1/memory/688-81-0x0000000000680000-0x0000000000694000-memory.dmp agile_net behavioral1/memory/688-82-0x0000000002270000-0x00000000022DE000-memory.dmp agile_net behavioral1/memory/688-83-0x0000000000960000-0x000000000097E000-memory.dmp agile_net behavioral1/memory/688-84-0x00000000043E0000-0x0000000004416000-memory.dmp agile_net behavioral1/memory/688-85-0x0000000004470000-0x000000000447E000-memory.dmp agile_net behavioral1/memory/688-86-0x0000000004480000-0x000000000448E000-memory.dmp agile_net behavioral1/memory/688-87-0x0000000004F10000-0x000000000505A000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
paylod.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" paylod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Mercurial.exepid process 688 Mercurial.exe 688 Mercurial.exe 688 Mercurial.exe 688 Mercurial.exe 688 Mercurial.exe 688 Mercurial.exe 688 Mercurial.exe 688 Mercurial.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
Mercurial.exePayload.exedescription pid process Token: SeDebugPrivilege 688 Mercurial.exe Token: SeDebugPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe Token: 33 1112 Payload.exe Token: SeIncBasePriorityPrivilege 1112 Payload.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
sample.exepaylod.exePayload.exedescription pid process target process PID 924 wrote to memory of 780 924 sample.exe paylod.exe PID 924 wrote to memory of 780 924 sample.exe paylod.exe PID 924 wrote to memory of 780 924 sample.exe paylod.exe PID 924 wrote to memory of 780 924 sample.exe paylod.exe PID 924 wrote to memory of 688 924 sample.exe Mercurial.exe PID 924 wrote to memory of 688 924 sample.exe Mercurial.exe PID 924 wrote to memory of 688 924 sample.exe Mercurial.exe PID 924 wrote to memory of 688 924 sample.exe Mercurial.exe PID 780 wrote to memory of 1112 780 paylod.exe Payload.exe PID 780 wrote to memory of 1112 780 paylod.exe Payload.exe PID 780 wrote to memory of 1112 780 paylod.exe Payload.exe PID 780 wrote to memory of 1112 780 paylod.exe Payload.exe PID 780 wrote to memory of 1064 780 paylod.exe attrib.exe PID 780 wrote to memory of 1064 780 paylod.exe attrib.exe PID 780 wrote to memory of 1064 780 paylod.exe attrib.exe PID 780 wrote to memory of 1064 780 paylod.exe attrib.exe PID 1112 wrote to memory of 752 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 752 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 752 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 752 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 1236 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 1236 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 1236 1112 Payload.exe attrib.exe PID 1112 wrote to memory of 1236 1112 Payload.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1064 attrib.exe 752 attrib.exe 1236 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paylod.exe"C:\Users\Admin\AppData\Local\Temp\paylod.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe"4⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.exe"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exeFilesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exeFilesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnkFilesize
1KB
MD51b1cb327e9904967b7bdb8e1d988cf8a
SHA1a48b02dc1ef55d592772d05a2ff5ade1a522ea9b
SHA2568826549ce42181fb7a05759da14509caf2d84cb449f069e286d69381dfd22320
SHA512fdad1e495d6130e2d91a738ed145f413f0fd5a053ea1cd345f48718e951c0196a772f481c17f5e17f0b05a87115faa16d7bf7795cf9b180374ff27c0944432fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.lnkFilesize
1KB
MD501751f808bc17e687be639e39dd3e9f5
SHA1a307030d8ec4bd46661a04bc9c12e549f3f88f1b
SHA256311e6f4e3832052fb5fdd981e438aed8d2c40ead581878402a680ce4096ccc6d
SHA512487d43dca7998eeabca4efa89ddd774b1e3430ed73e5b6f5403dc4ee4dd3c113d20e74ea7173f85555f46e3fb4fc73f83d4c7939537603bc2944ccb4ca176a3d
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
\Users\Admin\AppData\Local\Temp\Mercurial.exeFilesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
memory/688-75-0x00000000009A0000-0x0000000000CDA000-memory.dmpFilesize
3.2MB
-
memory/688-80-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/688-82-0x0000000002270000-0x00000000022DE000-memory.dmpFilesize
440KB
-
memory/688-83-0x0000000000960000-0x000000000097E000-memory.dmpFilesize
120KB
-
memory/688-84-0x00000000043E0000-0x0000000004416000-memory.dmpFilesize
216KB
-
memory/688-85-0x0000000004470000-0x000000000447E000-memory.dmpFilesize
56KB
-
memory/688-86-0x0000000004480000-0x000000000448E000-memory.dmpFilesize
56KB
-
memory/688-87-0x0000000004F10000-0x000000000505A000-memory.dmpFilesize
1.3MB
-
memory/688-88-0x0000000005310000-0x0000000005426000-memory.dmpFilesize
1.1MB
-
memory/688-89-0x00000000044A0000-0x00000000044D0000-memory.dmpFilesize
192KB
-
memory/688-90-0x0000000005140000-0x0000000005148000-memory.dmpFilesize
32KB
-
memory/688-91-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-92-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-81-0x0000000000680000-0x0000000000694000-memory.dmpFilesize
80KB
-
memory/688-79-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-78-0x00000000005C0000-0x00000000005E0000-memory.dmpFilesize
128KB
-
memory/688-77-0x00000000003F0000-0x0000000000410000-memory.dmpFilesize
128KB
-
memory/688-76-0x00000000003D0000-0x00000000003EC000-memory.dmpFilesize
112KB
-
memory/688-114-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-107-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-108-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-109-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-113-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/688-112-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/780-72-0x0000000000230000-0x0000000000270000-memory.dmpFilesize
256KB
-
memory/924-70-0x0000000002140000-0x0000000002180000-memory.dmpFilesize
256KB