Analysis
-
max time kernel
151s -
max time network
23s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 12:35
Static task
static1
Behavioral task
behavioral1
Sample
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
Resource
win10v20210408
General
-
Target
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
-
Size
136KB
-
MD5
359a08045b66fe5f71fde43f9a6db01b
-
SHA1
4580e9f5becff35c4c4e773931d18f2df166d9fc
-
SHA256
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
-
SHA512
81b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
server.exeserver.exeserver.exepid process 544 server.exe 576 server.exe 472 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exepid process 804 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 804 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 544 server.exe 544 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exedescription pid process target process PID 1544 set thread context of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 544 set thread context of 472 544 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe Token: 33 472 server.exe Token: SeIncBasePriorityPrivilege 472 server.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exeserver.exedescription pid process target process PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1544 wrote to memory of 804 1544 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 804 wrote to memory of 544 804 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 804 wrote to memory of 544 804 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 804 wrote to memory of 544 804 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 804 wrote to memory of 544 804 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 544 wrote to memory of 576 544 server.exe server.exe PID 544 wrote to memory of 576 544 server.exe server.exe PID 544 wrote to memory of 576 544 server.exe server.exe PID 544 wrote to memory of 576 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 544 wrote to memory of 472 544 server.exe server.exe PID 472 wrote to memory of 588 472 server.exe netsh.exe PID 472 wrote to memory of 588 472 server.exe netsh.exe PID 472 wrote to memory of 588 472 server.exe netsh.exe PID 472 wrote to memory of 588 472 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
memory/472-70-0x000000000040747E-mapping.dmp
-
memory/472-74-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/544-62-0x0000000000000000-mapping.dmp
-
memory/544-73-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/588-75-0x0000000000000000-mapping.dmp
-
memory/804-59-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/804-57-0x000000000040747E-mapping.dmp
-
memory/804-56-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1544-54-0x00000000751D1000-0x00000000751D3000-memory.dmpFilesize
8KB
-
memory/1544-55-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB