Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 15:36
Static task
static1
Behavioral task
behavioral1
Sample
92d0a1a1b5eaf3f8624d4f2e39e2de26.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
92d0a1a1b5eaf3f8624d4f2e39e2de26.exe
Resource
win10v20201028
General
-
Target
92d0a1a1b5eaf3f8624d4f2e39e2de26.exe
-
Size
23KB
-
MD5
92d0a1a1b5eaf3f8624d4f2e39e2de26
-
SHA1
21dc02d8bf484c464bfb1c39cfe26bdbb56ea0ac
-
SHA256
dd562a2d51ffcf2c9f56779211e8bd1b22899d7448cb544e73c1baae4fcb811d
-
SHA512
32652c97a839a601c06883672bbda393ee0db31f6497fb7a1fda407c72144087a365236f7e6db1fad2b000f5de4d880498bbfcd3437efacf39650e720f020d78
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
e3c9dc0133333258fa0ebe7ab4bdc72d
-
reg_key
e3c9dc0133333258fa0ebe7ab4bdc72d
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 824 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3c9dc0133333258fa0ebe7ab4bdc72d.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3c9dc0133333258fa0ebe7ab4bdc72d.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
92d0a1a1b5eaf3f8624d4f2e39e2de26.exepid process 1760 92d0a1a1b5eaf3f8624d4f2e39e2de26.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\e3c9dc0133333258fa0ebe7ab4bdc72d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e3c9dc0133333258fa0ebe7ab4bdc72d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe Token: 33 824 server.exe Token: SeIncBasePriorityPrivilege 824 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
92d0a1a1b5eaf3f8624d4f2e39e2de26.exeserver.exedescription pid process target process PID 1760 wrote to memory of 824 1760 92d0a1a1b5eaf3f8624d4f2e39e2de26.exe server.exe PID 1760 wrote to memory of 824 1760 92d0a1a1b5eaf3f8624d4f2e39e2de26.exe server.exe PID 1760 wrote to memory of 824 1760 92d0a1a1b5eaf3f8624d4f2e39e2de26.exe server.exe PID 1760 wrote to memory of 824 1760 92d0a1a1b5eaf3f8624d4f2e39e2de26.exe server.exe PID 824 wrote to memory of 1348 824 server.exe netsh.exe PID 824 wrote to memory of 1348 824 server.exe netsh.exe PID 824 wrote to memory of 1348 824 server.exe netsh.exe PID 824 wrote to memory of 1348 824 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92d0a1a1b5eaf3f8624d4f2e39e2de26.exe"C:\Users\Admin\AppData\Local\Temp\92d0a1a1b5eaf3f8624d4f2e39e2de26.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
92d0a1a1b5eaf3f8624d4f2e39e2de26
SHA121dc02d8bf484c464bfb1c39cfe26bdbb56ea0ac
SHA256dd562a2d51ffcf2c9f56779211e8bd1b22899d7448cb544e73c1baae4fcb811d
SHA51232652c97a839a601c06883672bbda393ee0db31f6497fb7a1fda407c72144087a365236f7e6db1fad2b000f5de4d880498bbfcd3437efacf39650e720f020d78
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
92d0a1a1b5eaf3f8624d4f2e39e2de26
SHA121dc02d8bf484c464bfb1c39cfe26bdbb56ea0ac
SHA256dd562a2d51ffcf2c9f56779211e8bd1b22899d7448cb544e73c1baae4fcb811d
SHA51232652c97a839a601c06883672bbda393ee0db31f6497fb7a1fda407c72144087a365236f7e6db1fad2b000f5de4d880498bbfcd3437efacf39650e720f020d78
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
92d0a1a1b5eaf3f8624d4f2e39e2de26
SHA121dc02d8bf484c464bfb1c39cfe26bdbb56ea0ac
SHA256dd562a2d51ffcf2c9f56779211e8bd1b22899d7448cb544e73c1baae4fcb811d
SHA51232652c97a839a601c06883672bbda393ee0db31f6497fb7a1fda407c72144087a365236f7e6db1fad2b000f5de4d880498bbfcd3437efacf39650e720f020d78
-
memory/824-3-0x0000000000000000-mapping.dmp
-
memory/1348-6-0x0000000000000000-mapping.dmp