Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 21:03
Static task
static1
Behavioral task
behavioral1
Sample
B1jjiJCc.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
B1jjiJCc.exe
Resource
win10v20201028
General
-
Target
B1jjiJCc.exe
-
Size
23KB
-
MD5
28a8a52dca43eb1e4fa40ef3b91ca37d
-
SHA1
0d1cd0ee19cc993e9e7f52522795a7aa7afd1e44
-
SHA256
ea5e746e22a5fea7fe514f9324088f98e6b7f7ad6c97ec972ab2667cb440ee41
-
SHA512
3fb983b2e77dbf1f71587ccae00fde3341acb07cd3339b123acbaabbacbb5956bac5784f5443c7bbb631cec771967fb723263afbc99961f20bb96c126dd60b92
Malware Config
Extracted
njrat
0.7d
HacKed
xoruf.ddns.net:5552
1178e84f8817063764244d77a8a9d851
-
reg_key
1178e84f8817063764244d77a8a9d851
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1572 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1178e84f8817063764244d77a8a9d851.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1178e84f8817063764244d77a8a9d851.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
B1jjiJCc.exepid process 1924 B1jjiJCc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\1178e84f8817063764244d77a8a9d851 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1178e84f8817063764244d77a8a9d851 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe Token: 33 1572 server.exe Token: SeIncBasePriorityPrivilege 1572 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
B1jjiJCc.exeserver.exedescription pid process target process PID 1924 wrote to memory of 1572 1924 B1jjiJCc.exe server.exe PID 1924 wrote to memory of 1572 1924 B1jjiJCc.exe server.exe PID 1924 wrote to memory of 1572 1924 B1jjiJCc.exe server.exe PID 1924 wrote to memory of 1572 1924 B1jjiJCc.exe server.exe PID 1572 wrote to memory of 384 1572 server.exe netsh.exe PID 1572 wrote to memory of 384 1572 server.exe netsh.exe PID 1572 wrote to memory of 384 1572 server.exe netsh.exe PID 1572 wrote to memory of 384 1572 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B1jjiJCc.exe"C:\Users\Admin\AppData\Local\Temp\B1jjiJCc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
28a8a52dca43eb1e4fa40ef3b91ca37d
SHA10d1cd0ee19cc993e9e7f52522795a7aa7afd1e44
SHA256ea5e746e22a5fea7fe514f9324088f98e6b7f7ad6c97ec972ab2667cb440ee41
SHA5123fb983b2e77dbf1f71587ccae00fde3341acb07cd3339b123acbaabbacbb5956bac5784f5443c7bbb631cec771967fb723263afbc99961f20bb96c126dd60b92
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
28a8a52dca43eb1e4fa40ef3b91ca37d
SHA10d1cd0ee19cc993e9e7f52522795a7aa7afd1e44
SHA256ea5e746e22a5fea7fe514f9324088f98e6b7f7ad6c97ec972ab2667cb440ee41
SHA5123fb983b2e77dbf1f71587ccae00fde3341acb07cd3339b123acbaabbacbb5956bac5784f5443c7bbb631cec771967fb723263afbc99961f20bb96c126dd60b92
-
\Users\Admin\AppData\Roaming\server.exeMD5
28a8a52dca43eb1e4fa40ef3b91ca37d
SHA10d1cd0ee19cc993e9e7f52522795a7aa7afd1e44
SHA256ea5e746e22a5fea7fe514f9324088f98e6b7f7ad6c97ec972ab2667cb440ee41
SHA5123fb983b2e77dbf1f71587ccae00fde3341acb07cd3339b123acbaabbacbb5956bac5784f5443c7bbb631cec771967fb723263afbc99961f20bb96c126dd60b92
-
memory/384-6-0x0000000000000000-mapping.dmp
-
memory/1572-3-0x0000000000000000-mapping.dmp