Analysis
-
max time kernel
151s -
max time network
177s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-09-2021 09:06
Static task
static1
Behavioral task
behavioral1
Sample
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
Resource
win10-en-20210920
General
-
Target
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
-
Size
863KB
-
MD5
61cc86c500d27fb8ee7cdcbf3f51654e
-
SHA1
da823449b046aabc24d82519619235e4800dfd22
-
SHA256
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d
-
SHA512
2a5d6ea3516c248a4f87ceb877417320e0324f80c8177d944f64f999724d9a4af334b5bc581bf00e4f1b49d30dab4f8bb516514eb4be6d673b5c30e35e4e5384
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:4444
68746e5f270d3b8fbd6f47be0fcb6282
-
reg_key
68746e5f270d3b8fbd6f47be0fcb6282
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
770.exeserver.exepid process 2020 770.exe 1368 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe770.exepid process 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 2020 770.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\68746e5f270d3b8fbd6f47be0fcb6282 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\68746e5f270d3b8fbd6f47be0fcb6282 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe Token: 33 1368 server.exe Token: SeIncBasePriorityPrivilege 1368 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe770.exeserver.exedescription pid process target process PID 1920 wrote to memory of 2020 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 1920 wrote to memory of 2020 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 1920 wrote to memory of 2020 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 1920 wrote to memory of 2020 1920 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 2020 wrote to memory of 1368 2020 770.exe server.exe PID 2020 wrote to memory of 1368 2020 770.exe server.exe PID 2020 wrote to memory of 1368 2020 770.exe server.exe PID 2020 wrote to memory of 1368 2020 770.exe server.exe PID 1368 wrote to memory of 1580 1368 server.exe netsh.exe PID 1368 wrote to memory of 1580 1368 server.exe netsh.exe PID 1368 wrote to memory of 1580 1368 server.exe netsh.exe PID 1368 wrote to memory of 1580 1368 server.exe netsh.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe"C:\Users\Admin\AppData\Local\Temp\e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\770\770.exe"C:\Users\Admin\AppData\Local\Temp\770\770.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
C:\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
memory/1368-70-0x0000000000000000-mapping.dmp
-
memory/1368-74-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/1580-75-0x0000000000000000-mapping.dmp
-
memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/2020-64-0x0000000000000000-mapping.dmp
-
memory/2020-68-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB