Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2023 13:57
Behavioral task
behavioral1
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win10v2004-20230220-en
General
-
Target
706fd9eb22adac23c973248375c50a02.exe
-
Size
27KB
-
MD5
706fd9eb22adac23c973248375c50a02
-
SHA1
a2eb4719961cebca7a1e0ede2397c7e11e91a068
-
SHA256
3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
-
SHA512
1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
SSDEEP
384:hLOlYHHeIYTzJRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhca66Zr6s:B2ZxJm8VA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
bob541882.e2.luyouxia.net:20192
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 4 IoCs
Processes:
360.exe706fd9eb22adac23c973248375c50a02.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 706fd9eb22adac23c973248375c50a02.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 360.exe -
Executes dropped EXE 1 IoCs
Processes:
360.exepid process 1536 360.exe -
Loads dropped DLL 1 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exepid process 1236 706fd9eb22adac23c973248375c50a02.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
360.exe706fd9eb22adac23c973248375c50a02.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\360.exe" 706fd9eb22adac23c973248375c50a02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
360.exedescription pid process Token: SeDebugPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe Token: 33 1536 360.exe Token: SeIncBasePriorityPrivilege 1536 360.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exedescription pid process target process PID 1236 wrote to memory of 1536 1236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1236 wrote to memory of 1536 1236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1236 wrote to memory of 1536 1236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1236 wrote to memory of 1536 1236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 1236 wrote to memory of 628 1236 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 1236 wrote to memory of 628 1236 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 1236 wrote to memory of 628 1236 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 1236 wrote to memory of 628 1236 706fd9eb22adac23c973248375c50a02.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\360.exe"C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD59e76acfa573d75b91c37b714c5780ab6
SHA100f4341fa084fe3dac74b00c123e7d0f5dd199e9
SHA256e2df3f1fbc3fb40fc8ce65eff88800bb53e30dde9e883e03252ed007163cef52
SHA512449adfbe0b381054bbd4bf6c13dd4a67e613b4a0cffd3fec95c6db4c0d761cb7c84135c486119d91c217a0eaf68d66d789fb83e63ed81581b473414ecc5f4eff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1018B
MD5ea0e0f73c1109cd089b5e0d53bbb838c
SHA1d4437b531ba76dc1c96bbbdb9a5a60154b5f8a41
SHA25683c1274c7d9fa97ab4f2eef6f47df0dca651cc8bca9bc0d8b7da77343778730d
SHA51216477e4d10a1f1c602266e04d81f4c5b6b838829807972377be2bc131c7c01c824d6968382385571959fd7c202006e77e2ef042b96b05225d45ae08aeb512dd6
-
\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
memory/1236-56-0x0000000000A60000-0x0000000000AA0000-memory.dmpFilesize
256KB
-
memory/1536-68-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/1536-70-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB