Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en -
submitted
13-09-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe
Resource
win10-en
General
-
Target
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe
-
Size
863KB
-
MD5
301b9f7de5b10a8030c47e1121088667
-
SHA1
b21a782922b49d3b1be7abb205b1037e613fa13f
-
SHA256
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa
-
SHA512
878381ce19b2ddb01ce96e90017c902a6d87283376354e862bf6c1a1772e182f6e7c5b7fc839ddc150cc3e79062aeaff584c880d4cfb6f6bdd9b3d810b14c509
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
6356.exeserver.exepid process 1700 6356.exe 588 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe6356.exepid process 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 1700 6356.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Processes:
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe Token: 33 588 server.exe Token: SeIncBasePriorityPrivilege 588 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe6356.exeserver.exedescription pid process target process PID 624 wrote to memory of 1700 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 6356.exe PID 624 wrote to memory of 1700 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 6356.exe PID 624 wrote to memory of 1700 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 6356.exe PID 624 wrote to memory of 1700 624 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe 6356.exe PID 1700 wrote to memory of 588 1700 6356.exe server.exe PID 1700 wrote to memory of 588 1700 6356.exe server.exe PID 1700 wrote to memory of 588 1700 6356.exe server.exe PID 1700 wrote to memory of 588 1700 6356.exe server.exe PID 588 wrote to memory of 1664 588 server.exe netsh.exe PID 588 wrote to memory of 1664 588 server.exe netsh.exe PID 588 wrote to memory of 1664 588 server.exe netsh.exe PID 588 wrote to memory of 1664 588 server.exe netsh.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe"C:\Users\Admin\AppData\Local\Temp\85c9f16abba34e9fd9b0414251f015c8a8b70427944d7b37e09995cf3f0ac7aa.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\6356\6356.exe"C:\Users\Admin\AppData\Local\Temp\6356\6356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6356\6356.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
C:\Users\Admin\AppData\Local\Temp\6356\6356.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
\Users\Admin\AppData\Local\Temp\6356\6356.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
\Users\Admin\AppData\Local\Temp\6356\6356.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
\Users\Admin\AppData\Local\Temp\6356\6356.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
56ba33bb6dd5515e6594b751e45a0e16
SHA1c4d2ca7195931a1f6d4f09024f69d1edf4db5318
SHA256cd71b2faffb99cb1e2d06041fdb809211b1b561b08ed443314ee953f2cc70231
SHA512189e9fe0bfd8870424b3442233168b729597803ca524f42a4a6ea389771a0521e1b209042bf31a05bd347530de44c0935c6194d350f422205880b7a636c8755b
-
memory/588-63-0x0000000000000000-mapping.dmp
-
memory/588-67-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/624-53-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB
-
memory/1664-68-0x0000000000000000-mapping.dmp
-
memory/1700-61-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1700-57-0x0000000000000000-mapping.dmp