Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
06-09-2021 06:46
Static task
static1
Behavioral task
behavioral1
Sample
91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe
Resource
win10-en
General
-
Target
91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe
-
Size
75KB
-
MD5
84f9b3ff127dc38eacd42da00e080dee
-
SHA1
7dfcd750a7ecbfff358802ac7365477dab8b9aba
-
SHA256
91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11
-
SHA512
aa9495231d7506936806eae0f2306ec7ecee44752e681ce39c84f37f15eb7f143c32912ba8d4f72a7992ec764f1f9b9ae7e1d1239b6df71c2ecbff9abd9306c5
Malware Config
Extracted
njrat
0.7d
HacKed
192.168.0.220:5552
cf380edbb9022cc313e8604499552980
-
reg_key
cf380edbb9022cc313e8604499552980
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1168 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf380edbb9022cc313e8604499552980.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf380edbb9022cc313e8604499552980.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf380edbb9022cc313e8604499552980 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf380edbb9022cc313e8604499552980 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exeserver.exedescription pid process target process PID 3968 wrote to memory of 1168 3968 91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe server.exe PID 3968 wrote to memory of 1168 3968 91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe server.exe PID 3968 wrote to memory of 1168 3968 91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe server.exe PID 1168 wrote to memory of 2664 1168 server.exe netsh.exe PID 1168 wrote to memory of 2664 1168 server.exe netsh.exe PID 1168 wrote to memory of 2664 1168 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe"C:\Users\Admin\AppData\Local\Temp\91eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
84f9b3ff127dc38eacd42da00e080dee
SHA17dfcd750a7ecbfff358802ac7365477dab8b9aba
SHA25691eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11
SHA512aa9495231d7506936806eae0f2306ec7ecee44752e681ce39c84f37f15eb7f143c32912ba8d4f72a7992ec764f1f9b9ae7e1d1239b6df71c2ecbff9abd9306c5
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
84f9b3ff127dc38eacd42da00e080dee
SHA17dfcd750a7ecbfff358802ac7365477dab8b9aba
SHA25691eac047cf1d9c96af9c6ade8bd3904b827e8ddd373a5c92ac6d1a55bdb69c11
SHA512aa9495231d7506936806eae0f2306ec7ecee44752e681ce39c84f37f15eb7f143c32912ba8d4f72a7992ec764f1f9b9ae7e1d1239b6df71c2ecbff9abd9306c5
-
memory/1168-125-0x0000000000000000-mapping.dmp
-
memory/1168-137-0x0000000004C93000-0x0000000004C95000-memory.dmpFilesize
8KB
-
memory/1168-135-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/2664-138-0x0000000000000000-mapping.dmp
-
memory/3968-119-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3968-123-0x0000000008A60000-0x0000000008A61000-memory.dmpFilesize
4KB
-
memory/3968-124-0x00000000053D3000-0x00000000053D5000-memory.dmpFilesize
8KB
-
memory/3968-122-0x00000000089A0000-0x00000000089A6000-memory.dmpFilesize
24KB
-
memory/3968-121-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3968-120-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/3968-115-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/3968-118-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/3968-117-0x0000000005310000-0x0000000005317000-memory.dmpFilesize
28KB