Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en -
submitted
11-09-2021 13:09
Static task
static1
Behavioral task
behavioral1
Sample
CE82A80553AA90FC39DC9938A1A38785.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
CE82A80553AA90FC39DC9938A1A38785.exe
Resource
win10-en
General
-
Target
CE82A80553AA90FC39DC9938A1A38785.exe
-
Size
99KB
-
MD5
ce82a80553aa90fc39dc9938a1a38785
-
SHA1
0975e73735c72516cdffd11e55a6c44bd003fd97
-
SHA256
7d2384407431c2ba16975ccc548524ea2feb4fa216452bfda624513eab254734
-
SHA512
ba2f5b20e91df86f0e2d4b42b8da62080694c3f304b30e39b10043809d6942654ece90a8ce125b9f3a91a62de413b6a697d7883b40075ad0641628f4bb3b22c0
Malware Config
Extracted
njrat
0.7d
HacKed
ecstatic-water-14400.pktriot.net:22568
b41e5fad6d579c73dd0db63f0e3ad82b
-
reg_key
b41e5fad6d579c73dd0db63f0e3ad82b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
build.exeserver.exepid process 4624 build.exe 4700 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b41e5fad6d579c73dd0db63f0e3ad82b.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b41e5fad6d579c73dd0db63f0e3ad82b.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\b41e5fad6d579c73dd0db63f0e3ad82b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b41e5fad6d579c73dd0db63f0e3ad82b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe Token: 33 4700 server.exe Token: SeIncBasePriorityPrivilege 4700 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CE82A80553AA90FC39DC9938A1A38785.exebuild.exeserver.exedescription pid process target process PID 4564 wrote to memory of 4624 4564 CE82A80553AA90FC39DC9938A1A38785.exe build.exe PID 4564 wrote to memory of 4624 4564 CE82A80553AA90FC39DC9938A1A38785.exe build.exe PID 4564 wrote to memory of 4624 4564 CE82A80553AA90FC39DC9938A1A38785.exe build.exe PID 4624 wrote to memory of 4700 4624 build.exe server.exe PID 4624 wrote to memory of 4700 4624 build.exe server.exe PID 4624 wrote to memory of 4700 4624 build.exe server.exe PID 4700 wrote to memory of 4744 4700 server.exe netsh.exe PID 4700 wrote to memory of 4744 4700 server.exe netsh.exe PID 4700 wrote to memory of 4744 4700 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CE82A80553AA90FC39DC9938A1A38785.exe"C:\Users\Admin\AppData\Local\Temp\CE82A80553AA90FC39DC9938A1A38785.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\build.exeMD5
4c9d855213d729707cc9f75f13a3e1c5
SHA153d41cec3e3bebc16eb5056acf378e6003dcd36c
SHA2569fb26b18ad7036bf29f1537d0153e0b2981efc0ed3dc7c92114bb8fdf27a296b
SHA5128c3bd1df65fe5fd9127a8ccc298ca28d46de3625e378c536635ef9cb74a5012d5de6b2bf175a8a7624ad694326ba4b60a4e160e7bf4e3f792a3aa400fb7b0617
-
C:\ProgramData\build.exeMD5
4c9d855213d729707cc9f75f13a3e1c5
SHA153d41cec3e3bebc16eb5056acf378e6003dcd36c
SHA2569fb26b18ad7036bf29f1537d0153e0b2981efc0ed3dc7c92114bb8fdf27a296b
SHA5128c3bd1df65fe5fd9127a8ccc298ca28d46de3625e378c536635ef9cb74a5012d5de6b2bf175a8a7624ad694326ba4b60a4e160e7bf4e3f792a3aa400fb7b0617
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
4c9d855213d729707cc9f75f13a3e1c5
SHA153d41cec3e3bebc16eb5056acf378e6003dcd36c
SHA2569fb26b18ad7036bf29f1537d0153e0b2981efc0ed3dc7c92114bb8fdf27a296b
SHA5128c3bd1df65fe5fd9127a8ccc298ca28d46de3625e378c536635ef9cb74a5012d5de6b2bf175a8a7624ad694326ba4b60a4e160e7bf4e3f792a3aa400fb7b0617
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
4c9d855213d729707cc9f75f13a3e1c5
SHA153d41cec3e3bebc16eb5056acf378e6003dcd36c
SHA2569fb26b18ad7036bf29f1537d0153e0b2981efc0ed3dc7c92114bb8fdf27a296b
SHA5128c3bd1df65fe5fd9127a8ccc298ca28d46de3625e378c536635ef9cb74a5012d5de6b2bf175a8a7624ad694326ba4b60a4e160e7bf4e3f792a3aa400fb7b0617
-
memory/4564-115-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4624-117-0x0000000000000000-mapping.dmp
-
memory/4624-120-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/4700-121-0x0000000000000000-mapping.dmp
-
memory/4700-124-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB
-
memory/4744-125-0x0000000000000000-mapping.dmp