Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:53
Static task
static1
Behavioral task
behavioral1
Sample
e24422a7262bea6034d20d759f6e5787.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e24422a7262bea6034d20d759f6e5787.exe
Resource
win10v20201028
General
-
Target
e24422a7262bea6034d20d759f6e5787.exe
-
Size
23KB
-
MD5
e24422a7262bea6034d20d759f6e5787
-
SHA1
f37f1d5521e74bd04d8336624d8e0918a5f780e5
-
SHA256
36bd6850126b5f7b37d9627f4adbabd4ea13cc5db45fbc8ead58cfa43dd0f8fc
-
SHA512
f1eee9aac8f4dca02ab7a6b2327e8f0fd1469ae327eb5058b500816f29be47c29b96863f67f1a0f5f9b6a9a60288ae6c95d72fd13f28b3e4b61ad615a39fac48
Malware Config
Extracted
njrat
0.7d
bae
asasasbb.hopto.org:81
90ea31345bb2b19708b6ad94c9a81128
-
reg_key
90ea31345bb2b19708b6ad94c9a81128
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 284 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
e24422a7262bea6034d20d759f6e5787.exepid process 1680 e24422a7262bea6034d20d759f6e5787.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\90ea31345bb2b19708b6ad94c9a81128 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\90ea31345bb2b19708b6ad94c9a81128 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe Token: 33 284 server.exe Token: SeIncBasePriorityPrivilege 284 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e24422a7262bea6034d20d759f6e5787.exeserver.exedescription pid process target process PID 1680 wrote to memory of 284 1680 e24422a7262bea6034d20d759f6e5787.exe server.exe PID 1680 wrote to memory of 284 1680 e24422a7262bea6034d20d759f6e5787.exe server.exe PID 1680 wrote to memory of 284 1680 e24422a7262bea6034d20d759f6e5787.exe server.exe PID 1680 wrote to memory of 284 1680 e24422a7262bea6034d20d759f6e5787.exe server.exe PID 284 wrote to memory of 1080 284 server.exe netsh.exe PID 284 wrote to memory of 1080 284 server.exe netsh.exe PID 284 wrote to memory of 1080 284 server.exe netsh.exe PID 284 wrote to memory of 1080 284 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e24422a7262bea6034d20d759f6e5787.exe"C:\Users\Admin\AppData\Local\Temp\e24422a7262bea6034d20d759f6e5787.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
e24422a7262bea6034d20d759f6e5787
SHA1f37f1d5521e74bd04d8336624d8e0918a5f780e5
SHA25636bd6850126b5f7b37d9627f4adbabd4ea13cc5db45fbc8ead58cfa43dd0f8fc
SHA512f1eee9aac8f4dca02ab7a6b2327e8f0fd1469ae327eb5058b500816f29be47c29b96863f67f1a0f5f9b6a9a60288ae6c95d72fd13f28b3e4b61ad615a39fac48
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
e24422a7262bea6034d20d759f6e5787
SHA1f37f1d5521e74bd04d8336624d8e0918a5f780e5
SHA25636bd6850126b5f7b37d9627f4adbabd4ea13cc5db45fbc8ead58cfa43dd0f8fc
SHA512f1eee9aac8f4dca02ab7a6b2327e8f0fd1469ae327eb5058b500816f29be47c29b96863f67f1a0f5f9b6a9a60288ae6c95d72fd13f28b3e4b61ad615a39fac48
-
\Users\Admin\AppData\Roaming\server.exeMD5
e24422a7262bea6034d20d759f6e5787
SHA1f37f1d5521e74bd04d8336624d8e0918a5f780e5
SHA25636bd6850126b5f7b37d9627f4adbabd4ea13cc5db45fbc8ead58cfa43dd0f8fc
SHA512f1eee9aac8f4dca02ab7a6b2327e8f0fd1469ae327eb5058b500816f29be47c29b96863f67f1a0f5f9b6a9a60288ae6c95d72fd13f28b3e4b61ad615a39fac48
-
memory/284-3-0x0000000000000000-mapping.dmp
-
memory/1080-6-0x0000000000000000-mapping.dmp