Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-01-2021 03:18
Static task
static1
Behavioral task
behavioral1
Sample
34ArXmP6.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
34ArXmP6.exe
Resource
win10v20201028
General
-
Target
34ArXmP6.exe
-
Size
23KB
-
MD5
79f4a193c1a13bcff525744920f0a656
-
SHA1
c358ef3c3446c5827b19f27d9beaf7b47ea85b3e
-
SHA256
735aba62493a92f1b5a807a29259f7327977ed35587c477f25024954f347ddb3
-
SHA512
7b3290692ce03a4050a39cf6ebf840a83f271d3a51b9ee5b56d0a3ee1db021c77cfebd56381db732fc1a979bf6796e621df25daa8b7aff49d9c3cb411c709aff
Malware Config
Extracted
njrat
0.7d
HacKed
xoruf.ddns.net:5552
70d07bb54d53fe450ad16e5aacbe54a8
-
reg_key
70d07bb54d53fe450ad16e5aacbe54a8
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2940 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70d07bb54d53fe450ad16e5aacbe54a8.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70d07bb54d53fe450ad16e5aacbe54a8.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\70d07bb54d53fe450ad16e5aacbe54a8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\70d07bb54d53fe450ad16e5aacbe54a8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe Token: 33 2940 server.exe Token: SeIncBasePriorityPrivilege 2940 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
34ArXmP6.exeserver.exedescription pid process target process PID 972 wrote to memory of 2940 972 34ArXmP6.exe server.exe PID 972 wrote to memory of 2940 972 34ArXmP6.exe server.exe PID 972 wrote to memory of 2940 972 34ArXmP6.exe server.exe PID 2940 wrote to memory of 724 2940 server.exe netsh.exe PID 2940 wrote to memory of 724 2940 server.exe netsh.exe PID 2940 wrote to memory of 724 2940 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34ArXmP6.exe"C:\Users\Admin\AppData\Local\Temp\34ArXmP6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
79f4a193c1a13bcff525744920f0a656
SHA1c358ef3c3446c5827b19f27d9beaf7b47ea85b3e
SHA256735aba62493a92f1b5a807a29259f7327977ed35587c477f25024954f347ddb3
SHA5127b3290692ce03a4050a39cf6ebf840a83f271d3a51b9ee5b56d0a3ee1db021c77cfebd56381db732fc1a979bf6796e621df25daa8b7aff49d9c3cb411c709aff
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
79f4a193c1a13bcff525744920f0a656
SHA1c358ef3c3446c5827b19f27d9beaf7b47ea85b3e
SHA256735aba62493a92f1b5a807a29259f7327977ed35587c477f25024954f347ddb3
SHA5127b3290692ce03a4050a39cf6ebf840a83f271d3a51b9ee5b56d0a3ee1db021c77cfebd56381db732fc1a979bf6796e621df25daa8b7aff49d9c3cb411c709aff
-
memory/724-5-0x0000000000000000-mapping.dmp
-
memory/2940-2-0x0000000000000000-mapping.dmp