Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
LOLPro/LOL PRO 5.2.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
LOLPro/LOL PRO 5.2.exe
Resource
win10v2004-20240426-en
General
-
Target
LOLPro/LOL PRO 5.2.exe
-
Size
966KB
-
MD5
f6ef181ef99d83e9abd6e4a31066779c
-
SHA1
910734741be798fa7028e56589eaa63f650fbea7
-
SHA256
d5f9071bdf3777ec1c2156ef56e2404ffa107bea1ee1abdfcf324437f27a205c
-
SHA512
aef121cd8e9d0d5292c9a0952b2b4fda4c5d8d8208eee1ab854d4fff167bb29d7e98afa49109ab8d56d4dacd1d4058c414784337d90cbeae938ee49df1f69c53
-
SSDEEP
24576:54lavt0LkLL9IMixoEgeadFMdWxIq9MmCS:Ikwkn9IMHead+daPCS
Malware Config
Extracted
njrat
0.7d
SpreadByKayxs
paravant.no-ip.org:6600
903b5e476b60431f6f04947fbe52bcc3
-
reg_key
903b5e476b60431f6f04947fbe52bcc3
-
splitter
|'|'|
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
LOL PRO 5.2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LOL PRO 5.2.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2032 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
LOL PRO 5.2.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN LOL PRO 5.2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN LOL PRO 5.2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LOL PRO 5.2.exedescription pid process target process PID 4604 set thread context of 3916 4604 LOL PRO 5.2.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
LOL PRO 5.2.exepid process 4604 LOL PRO 5.2.exe 4604 LOL PRO 5.2.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
cvtres.exedescription pid process Token: SeDebugPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe Token: 33 3916 cvtres.exe Token: SeIncBasePriorityPrivilege 3916 cvtres.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
LOL PRO 5.2.execmd.execvtres.exedescription pid process target process PID 4604 wrote to memory of 3916 4604 LOL PRO 5.2.exe cvtres.exe PID 4604 wrote to memory of 3916 4604 LOL PRO 5.2.exe cvtres.exe PID 4604 wrote to memory of 3916 4604 LOL PRO 5.2.exe cvtres.exe PID 4604 wrote to memory of 3916 4604 LOL PRO 5.2.exe cvtres.exe PID 4604 wrote to memory of 3916 4604 LOL PRO 5.2.exe cvtres.exe PID 4604 wrote to memory of 4788 4604 LOL PRO 5.2.exe cmd.exe PID 4604 wrote to memory of 4788 4604 LOL PRO 5.2.exe cmd.exe PID 4604 wrote to memory of 4788 4604 LOL PRO 5.2.exe cmd.exe PID 4788 wrote to memory of 1572 4788 cmd.exe schtasks.exe PID 4788 wrote to memory of 1572 4788 cmd.exe schtasks.exe PID 4788 wrote to memory of 1572 4788 cmd.exe schtasks.exe PID 3916 wrote to memory of 2032 3916 cvtres.exe netsh.exe PID 3916 wrote to memory of 2032 3916 cvtres.exe netsh.exe PID 3916 wrote to memory of 2032 3916 cvtres.exe netsh.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
LOL PRO 5.2.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer LOL PRO 5.2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LOL PRO 5.2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LOLPro\LOL PRO 5.2.exe"C:\Users\Admin\AppData\Local\Temp\LOLPro\LOL PRO 5.2.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" "cvtres.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c SCHTASKS /Create /SC MINUTE /MO 30 /TN IgfxTray Module /TR C:\Users\Admin\AppData\Roaming\IgfxTray.exe /RU SYSTEM /F /RL HIGHEST2⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /SC MINUTE /MO 30 /TN IgfxTray Module /TR C:\Users\Admin\AppData\Roaming\IgfxTray.exe /RU SYSTEM /F /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3916-1-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/3916-2-0x000000007316E000-0x000000007316F000-memory.dmpFilesize
4KB
-
memory/3916-3-0x0000000004A60000-0x0000000004AFC000-memory.dmpFilesize
624KB
-
memory/3916-4-0x00000000050B0000-0x0000000005654000-memory.dmpFilesize
5.6MB
-
memory/3916-7-0x0000000004C20000-0x0000000004CB2000-memory.dmpFilesize
584KB
-
memory/3916-8-0x0000000073160000-0x0000000073910000-memory.dmpFilesize
7.7MB
-
memory/3916-9-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/3916-10-0x0000000073160000-0x0000000073910000-memory.dmpFilesize
7.7MB