Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-09-2021 09:07
Static task
static1
Behavioral task
behavioral1
Sample
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
Resource
win10v20210408
General
-
Target
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
-
Size
863KB
-
MD5
f5df22a0a21deb1bae571555826e9076
-
SHA1
f5621b1ee4d1466c06a2a137d46015107aa2855a
-
SHA256
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a
-
SHA512
800d0d564ed89944f6cee9c3bb3cbee991b12db644f55ed95afc42faa1f58dba208d66187392a50f53b6380ca6c2f1e1fa509d510caccecad842851b5779ef3e
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
2462.exeserver.exepid process 1416 2462.exe 304 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exepid process 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 1416 2462.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Processes:
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe Token: 33 304 server.exe Token: SeIncBasePriorityPrivilege 304 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exeserver.exedescription pid process target process PID 1132 wrote to memory of 1416 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 2462.exe PID 1132 wrote to memory of 1416 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 2462.exe PID 1132 wrote to memory of 1416 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 2462.exe PID 1132 wrote to memory of 1416 1132 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe 2462.exe PID 1416 wrote to memory of 304 1416 2462.exe server.exe PID 1416 wrote to memory of 304 1416 2462.exe server.exe PID 1416 wrote to memory of 304 1416 2462.exe server.exe PID 1416 wrote to memory of 304 1416 2462.exe server.exe PID 304 wrote to memory of 552 304 server.exe netsh.exe PID 304 wrote to memory of 552 304 server.exe netsh.exe PID 304 wrote to memory of 552 304 server.exe netsh.exe PID 304 wrote to memory of 552 304 server.exe netsh.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe"C:\Users\Admin\AppData\Local\Temp\05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\2462\2462.exe"C:\Users\Admin\AppData\Local\Temp\2462\2462.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2462\2462.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
C:\Users\Admin\AppData\Local\Temp\2462\2462.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
\Users\Admin\AppData\Local\Temp\2462\2462.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
\Users\Admin\AppData\Local\Temp\2462\2462.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
\Users\Admin\AppData\Local\Temp\2462\2462.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
22075825a0c6b41333bfb33cc92a6bb1
SHA1885b89442e1a9c351e55387274bcda2239250283
SHA256e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f
SHA5128d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6
-
memory/304-63-0x0000000000000000-mapping.dmp
-
memory/304-67-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/552-68-0x0000000000000000-mapping.dmp
-
memory/1132-53-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1416-61-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1416-57-0x0000000000000000-mapping.dmp