Analysis
-
max time kernel
155s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe
Resource
win10-en
General
-
Target
977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe
-
Size
1.4MB
-
MD5
7692667d5a258ba4cdb84473fb50efdc
-
SHA1
3102de64a4476befc1684c4595f24ec707472662
-
SHA256
977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15
-
SHA512
1b365067b03c94bacf8f22b5cc32e7a6b85b6359a215f197e6c4747e956ce409de94a5bc8c543af76e98983516a07d111c35ac66f99f85b3e0b7d6858b2052fb
Malware Config
Extracted
njrat
0.6.4
Test1
127.0.0.1:1177
6bc405af81ea48ffdc111c35dcd0d4b4
-
reg_key
6bc405af81ea48ffdc111c35dcd0d4b4
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
TempServer.exenimer.exepid process 3748 TempServer.exe 3900 nimer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
nimer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bc405af81ea48ffdc111c35dcd0d4b4.exe nimer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bc405af81ea48ffdc111c35dcd0d4b4.exe nimer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nimer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\6bc405af81ea48ffdc111c35dcd0d4b4 = "\"C:\\ProgramData\\nimer.exe\" .." nimer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6bc405af81ea48ffdc111c35dcd0d4b4 = "\"C:\\ProgramData\\nimer.exe\" .." nimer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
nimer.exepid process 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe 3900 nimer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nimer.exedescription pid process Token: SeDebugPrivilege 3900 nimer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exeTempServer.exenimer.exedescription pid process target process PID 3636 wrote to memory of 3748 3636 977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe TempServer.exe PID 3636 wrote to memory of 3748 3636 977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe TempServer.exe PID 3636 wrote to memory of 3748 3636 977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe TempServer.exe PID 3748 wrote to memory of 3900 3748 TempServer.exe nimer.exe PID 3748 wrote to memory of 3900 3748 TempServer.exe nimer.exe PID 3748 wrote to memory of 3900 3748 TempServer.exe nimer.exe PID 3900 wrote to memory of 3632 3900 nimer.exe netsh.exe PID 3900 wrote to memory of 3632 3900 nimer.exe netsh.exe PID 3900 wrote to memory of 3632 3900 nimer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe"C:\Users\Admin\AppData\Local\Temp\977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempServer.exeC:\Users\Admin\AppData\Local\TempServer.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\nimer.exe"C:\ProgramData\nimer.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\nimer.exe" "nimer.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nimer.exeMD5
7cbdea2979d0fe2d19b60004bff7007a
SHA1a1448e8d430d1f4a85e537cabb12adcbaf285020
SHA25624425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0
SHA512e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5
-
C:\ProgramData\nimer.exeMD5
7cbdea2979d0fe2d19b60004bff7007a
SHA1a1448e8d430d1f4a85e537cabb12adcbaf285020
SHA25624425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0
SHA512e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5
-
C:\Users\Admin\AppData\Local\TempServer.exeMD5
7cbdea2979d0fe2d19b60004bff7007a
SHA1a1448e8d430d1f4a85e537cabb12adcbaf285020
SHA25624425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0
SHA512e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5
-
C:\Users\Admin\AppData\Local\TempServer.exeMD5
7cbdea2979d0fe2d19b60004bff7007a
SHA1a1448e8d430d1f4a85e537cabb12adcbaf285020
SHA25624425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0
SHA512e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5
-
memory/3632-122-0x0000000000000000-mapping.dmp
-
memory/3748-115-0x0000000000000000-mapping.dmp
-
memory/3748-118-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/3900-119-0x0000000000000000-mapping.dmp
-
memory/3900-123-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/3900-124-0x0000000002E23000-0x0000000002E25000-memory.dmpFilesize
8KB