Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 16:51
Behavioral task
behavioral1
Sample
0e503cb95361e59b9df503d31a2e8802.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0e503cb95361e59b9df503d31a2e8802.exe
Resource
win10v2004-20230220-en
General
-
Target
0e503cb95361e59b9df503d31a2e8802.exe
-
Size
26KB
-
MD5
0e503cb95361e59b9df503d31a2e8802
-
SHA1
1250284990eeb2290e19b6492a40be1a9e720e54
-
SHA256
58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
-
SHA512
fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
SSDEEP
384:kLbe6lnw3m4Afp1UDMoCoP6udRNMpAQk93vmhm7UMKmIEecKdbXTzm9bVhcao631:ybeyBPqQpA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
study-silly.at.ply.gg:42876
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 5 IoCs
Processes:
0e503cb95361e59b9df503d31a2e8802.exeLocalShell.batattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 0e503cb95361e59b9df503d31a2e8802.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk LocalShell.bat File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe LocalShell.bat File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe LocalShell.bat File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
LocalShell.batpid process 1096 LocalShell.bat -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
0e503cb95361e59b9df503d31a2e8802.exeLocalShell.batdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\LocalShell.bat" 0e503cb95361e59b9df503d31a2e8802.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat -
Drops file in Windows directory 2 IoCs
Processes:
0e503cb95361e59b9df503d31a2e8802.exeattrib.exedescription ioc process File created C:\Windows\LocalShell.bat 0e503cb95361e59b9df503d31a2e8802.exe File opened for modification C:\Windows\LocalShell.bat attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
LocalShell.batdescription pid process Token: SeDebugPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat Token: 33 1096 LocalShell.bat Token: SeIncBasePriorityPrivilege 1096 LocalShell.bat -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
0e503cb95361e59b9df503d31a2e8802.exeLocalShell.batdescription pid process target process PID 1052 wrote to memory of 1096 1052 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1052 wrote to memory of 1096 1052 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1052 wrote to memory of 1096 1052 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1052 wrote to memory of 1096 1052 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1052 wrote to memory of 868 1052 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 1052 wrote to memory of 868 1052 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 1052 wrote to memory of 868 1052 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 1052 wrote to memory of 868 1052 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 1096 wrote to memory of 1516 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1516 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1516 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1516 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1624 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1624 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1624 1096 LocalShell.bat attrib.exe PID 1096 wrote to memory of 1624 1096 LocalShell.bat attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 868 attrib.exe 1516 attrib.exe 1624 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe"C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\LocalShell.bat"C:\Windows\LocalShell.bat"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\LocalShell.bat"2⤵
- Drops file in Windows directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5e65fcfde9b3bc26df7fea040f0443e77
SHA135f95a818bdd8833d75aeb0ee69aba096e5c4f37
SHA256ea08f2a8c553a9d395c1602e82f51327aaa75bda04ae15b9205336b6e0666141
SHA512a0f8ac5beaf4df5a14f504873cafcdde0c5a22bbe7ef33ee578872898b240d264386be272b4482cb07467179c4e41c7127530f433df5061d9057a3e15b6390ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1022B
MD5ad77ced9f9000247debeb317a030a77a
SHA1c3b1d64ce26eda5493d09021743a6d578059f6ce
SHA2562dcd4b2a82dd20058495d1e74dc37cf2b78d511405e2b00deb7b2871a6d1e879
SHA51288b51a01e08587a9a5320baf7ce28275de788fadf923761545d02e4ba37db730d889b7fc1bda17da984508cff415fdb245c83f4318671378ef318a3a1fd048ee
-
C:\Windows\LocalShell.batFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
C:\Windows\LocalShell.batFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
C:\Windows\LocalShell.batFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
memory/1052-56-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1052-57-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1096-70-0x0000000001FD0000-0x0000000002010000-memory.dmpFilesize
256KB