Analysis
-
max time kernel
154s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 14:36
Behavioral task
behavioral1
Sample
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe
Resource
win10v2004-20230220-en
General
-
Target
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe
-
Size
23KB
-
MD5
540c26994ac206f56ced1ab9097edd71
-
SHA1
ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
-
SHA256
3d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
-
SHA512
8b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
SSDEEP
384:6QeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZkD:l5yBVd7Rpcnud
Malware Config
Extracted
njrat
0.7d
HacKed
cisco5319.ddns.net:1177
22d454c9d4a86e192f7a5423970a5c83
-
reg_key
22d454c9d4a86e192f7a5423970a5c83
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
csrss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22d454c9d4a86e192f7a5423970a5c83.exe csrss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22d454c9d4a86e192f7a5423970a5c83.exe csrss.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 308 csrss.exe -
Loads dropped DLL 1 IoCs
Processes:
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exepid process 628 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\22d454c9d4a86e192f7a5423970a5c83 = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\" .." csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22d454c9d4a86e192f7a5423970a5c83 = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\" .." csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
csrss.exedescription pid process Token: SeDebugPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe Token: 33 308 csrss.exe Token: SeIncBasePriorityPrivilege 308 csrss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.execsrss.exedescription pid process target process PID 628 wrote to memory of 308 628 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 628 wrote to memory of 308 628 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 628 wrote to memory of 308 628 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 628 wrote to memory of 308 628 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 308 wrote to memory of 576 308 csrss.exe netsh.exe PID 308 wrote to memory of 576 308 csrss.exe netsh.exe PID 308 wrote to memory of 576 308 csrss.exe netsh.exe PID 308 wrote to memory of 576 308 csrss.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe"C:\Users\Admin\AppData\Local\Temp\3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\csrss.exe" "csrss.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22d454c9d4a86e192f7a5423970a5c83.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
memory/628-54-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/628-55-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB