Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-09-2021 08:13
Behavioral task
behavioral1
Sample
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe
Resource
win10v20210408
General
-
Target
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe
-
Size
23KB
-
MD5
72c391745df454a943727593554897dd
-
SHA1
da75bba892bb982e62246e2e13135a69b8010440
-
SHA256
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
-
SHA512
2185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2880 server.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exeserver.exedescription pid process target process PID 568 wrote to memory of 2880 568 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 568 wrote to memory of 2880 568 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 568 wrote to memory of 2880 568 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 2880 wrote to memory of 1044 2880 server.exe netsh.exe PID 2880 wrote to memory of 1044 2880 server.exe netsh.exe PID 2880 wrote to memory of 1044 2880 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe"C:\Users\Admin\AppData\Local\Temp\48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
72c391745df454a943727593554897dd
SHA1da75bba892bb982e62246e2e13135a69b8010440
SHA25648c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
SHA5122185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
72c391745df454a943727593554897dd
SHA1da75bba892bb982e62246e2e13135a69b8010440
SHA25648c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
SHA5122185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
-
memory/568-114-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/1044-119-0x0000000000000000-mapping.dmp
-
memory/2880-115-0x0000000000000000-mapping.dmp
-
memory/2880-118-0x0000000002F30000-0x0000000002F31000-memory.dmpFilesize
4KB