Analysis
-
max time kernel
159s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-09-2021 08:38
Static task
static1
Behavioral task
behavioral1
Sample
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
Resource
win10v20210408
General
-
Target
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
-
Size
863KB
-
MD5
61cc86c500d27fb8ee7cdcbf3f51654e
-
SHA1
da823449b046aabc24d82519619235e4800dfd22
-
SHA256
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d
-
SHA512
2a5d6ea3516c248a4f87ceb877417320e0324f80c8177d944f64f999724d9a4af334b5bc581bf00e4f1b49d30dab4f8bb516514eb4be6d673b5c30e35e4e5384
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:4444
68746e5f270d3b8fbd6f47be0fcb6282
-
reg_key
68746e5f270d3b8fbd6f47be0fcb6282
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
770.exeserver.exepid process 844 770.exe 1296 server.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\68746e5f270d3b8fbd6f47be0fcb6282 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\68746e5f270d3b8fbd6f47be0fcb6282 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe770.exeserver.exedescription pid process target process PID 568 wrote to memory of 844 568 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 568 wrote to memory of 844 568 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 568 wrote to memory of 844 568 e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe 770.exe PID 844 wrote to memory of 1296 844 770.exe server.exe PID 844 wrote to memory of 1296 844 770.exe server.exe PID 844 wrote to memory of 1296 844 770.exe server.exe PID 1296 wrote to memory of 1604 1296 server.exe netsh.exe PID 1296 wrote to memory of 1604 1296 server.exe netsh.exe PID 1296 wrote to memory of 1604 1296 server.exe netsh.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe"C:\Users\Admin\AppData\Local\Temp\e921d5f11cbdb49edbc84df43345e162f6c949e717afee3404ca5605c550c69d.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\770\770.exe"C:\Users\Admin\AppData\Local\Temp\770\770.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
C:\Users\Admin\AppData\Local\Temp\770\770.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
4506244e1fd59105f141974d41d51b9a
SHA18c94b021ccda8cf5145e027488d9efdc6a8dd769
SHA25601abc93f3bbc098b1b6444842c2fcd20dde15f3cd7b20d84704d081641d88556
SHA512c945e243272d2ba7e1bae44c6fb105d33519e7813079d8e982fbec46ba9373f964711e3dcb5665d87cb3ac9523e22edf2b668efd8e14bee91d501d63aa97fe50
-
memory/844-114-0x0000000000000000-mapping.dmp
-
memory/844-117-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/1296-118-0x0000000000000000-mapping.dmp
-
memory/1296-121-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/1604-122-0x0000000000000000-mapping.dmp