Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-09-2021 09:04
Behavioral task
behavioral1
Sample
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe
Resource
win10v20210408
General
-
Target
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe
-
Size
23KB
-
MD5
72c391745df454a943727593554897dd
-
SHA1
da75bba892bb982e62246e2e13135a69b8010440
-
SHA256
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
-
SHA512
2185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1712 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exepid process 1116 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe Token: 33 1712 server.exe Token: SeIncBasePriorityPrivilege 1712 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exeserver.exedescription pid process target process PID 1116 wrote to memory of 1712 1116 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 1116 wrote to memory of 1712 1116 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 1116 wrote to memory of 1712 1116 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 1116 wrote to memory of 1712 1116 48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe server.exe PID 1712 wrote to memory of 952 1712 server.exe netsh.exe PID 1712 wrote to memory of 952 1712 server.exe netsh.exe PID 1712 wrote to memory of 952 1712 server.exe netsh.exe PID 1712 wrote to memory of 952 1712 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe"C:\Users\Admin\AppData\Local\Temp\48c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
72c391745df454a943727593554897dd
SHA1da75bba892bb982e62246e2e13135a69b8010440
SHA25648c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
SHA5122185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
72c391745df454a943727593554897dd
SHA1da75bba892bb982e62246e2e13135a69b8010440
SHA25648c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
SHA5122185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
72c391745df454a943727593554897dd
SHA1da75bba892bb982e62246e2e13135a69b8010440
SHA25648c3a3ada659fff5dd6571878fa4e5aa4d0e0caf683c9d48e44f75c027835781
SHA5122185660926d742b24412cd71f4040c0044f803d199d6fa9fcf9805af65de00dab4f29555a2cd4e9b54d14cd12bb00bf415d894bb0739a4ddc050068acfb51af7
-
memory/952-62-0x0000000000000000-mapping.dmp
-
memory/1116-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1116-55-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/1712-57-0x0000000000000000-mapping.dmp
-
memory/1712-61-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB