Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2023 13:56
Behavioral task
behavioral1
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win10v2004-20230220-en
General
-
Target
706fd9eb22adac23c973248375c50a02.exe
-
Size
27KB
-
MD5
706fd9eb22adac23c973248375c50a02
-
SHA1
a2eb4719961cebca7a1e0ede2397c7e11e91a068
-
SHA256
3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
-
SHA512
1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
SSDEEP
384:hLOlYHHeIYTzJRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhca66Zr6s:B2ZxJm8VA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
bob541882.e2.luyouxia.net:20192
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 4 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exe360.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 706fd9eb22adac23c973248375c50a02.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 360.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe -
Executes dropped EXE 1 IoCs
Processes:
360.exepid process 1148 360.exe -
Loads dropped DLL 1 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exepid process 1536 706fd9eb22adac23c973248375c50a02.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
360.exe706fd9eb22adac23c973248375c50a02.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\360.exe" 706fd9eb22adac23c973248375c50a02.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
360.exedescription pid process Token: SeDebugPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe Token: 33 1148 360.exe Token: SeIncBasePriorityPrivilege 1148 360.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exedescription pid process target process PID 1536 wrote to memory of 1148 1536 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1536 wrote to memory of 1148 1536 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1536 wrote to memory of 1148 1536 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1536 wrote to memory of 1148 1536 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1536 wrote to memory of 520 1536 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 1536 wrote to memory of 520 1536 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 1536 wrote to memory of 520 1536 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 1536 wrote to memory of 520 1536 706fd9eb22adac23c973248375c50a02.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\360.exe"C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5dd3535593739e11551f17d1500e20b6d
SHA1fa402c26221db0f33466f6307f2d7678009fe216
SHA256fa07af94df7e112e2b1a98b21b9875d31f0a2d3b4eaf26f8bb09a68ddec96412
SHA512ef8d9a4d4dc3b0d28616d2f5a6d1184ef1b299582b92a2e241684bf7287830b0f756ac44f009e75949c0e085332630fba125967263b7718d452a0192a8ac9143
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1022B
MD5fafa91b56438e898132c9934f0a1e21c
SHA1d59ed37adedcf7d4e2fc505940e0d0c47532c4e6
SHA25669204955dae3d93a28cfb75640301a6c8ebceb76c682a16df6149568ea7ad4ee
SHA512cb88fb9d0c44c880e39ef3cfece8e81a433b89be398499ef88d1cb5b48e1035bccca51baf24c0f555509f60a644d49ee063fc857d6260121848e7b9ab4913183
-
\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
memory/1148-68-0x0000000002130000-0x0000000002170000-memory.dmpFilesize
256KB
-
memory/1148-70-0x0000000002130000-0x0000000002170000-memory.dmpFilesize
256KB
-
memory/1536-56-0x00000000007F0000-0x0000000000830000-memory.dmpFilesize
256KB