Analysis
-
max time kernel
151s -
max time network
108s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-09-2021 12:35
Static task
static1
Behavioral task
behavioral1
Sample
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
Resource
win10v20210408
General
-
Target
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
-
Size
136KB
-
MD5
359a08045b66fe5f71fde43f9a6db01b
-
SHA1
4580e9f5becff35c4c4e773931d18f2df166d9fc
-
SHA256
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
-
SHA512
81b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
server.exeserver.exepid process 1440 server.exe 2088 server.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exedescription pid process target process PID 1096 set thread context of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1440 set thread context of 2088 1440 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe Token: 33 2088 server.exe Token: SeIncBasePriorityPrivilege 2088 server.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exeserver.exedescription pid process target process PID 1096 wrote to memory of 580 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 580 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 580 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1096 wrote to memory of 8 1096 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 8 wrote to memory of 1440 8 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 8 wrote to memory of 1440 8 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 8 wrote to memory of 1440 8 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 1440 wrote to memory of 2088 1440 server.exe server.exe PID 2088 wrote to memory of 4092 2088 server.exe netsh.exe PID 2088 wrote to memory of 4092 2088 server.exe netsh.exe PID 2088 wrote to memory of 4092 2088 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe.logMD5
339dbc49ea5c332f15f4ead32d70d878
SHA140f169d604bf2a4e4eb2f432e3ebe0156ae8a777
SHA2564f51a0b25879f156888beec5c7a451bd6471b915c022ccd1d4caecf410784fd3
SHA5128739751b450dd669b599d50b54b04a3c835760f9456c2ac683be5331993f04bd9528a603f8cecfdfe18a1d1ddacd9b15bad84259b4ae42f77918df66eb5b5354
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.logMD5
339dbc49ea5c332f15f4ead32d70d878
SHA140f169d604bf2a4e4eb2f432e3ebe0156ae8a777
SHA2564f51a0b25879f156888beec5c7a451bd6471b915c022ccd1d4caecf410784fd3
SHA5128739751b450dd669b599d50b54b04a3c835760f9456c2ac683be5331993f04bd9528a603f8cecfdfe18a1d1ddacd9b15bad84259b4ae42f77918df66eb5b5354
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
memory/8-117-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/8-116-0x000000000040747E-mapping.dmp
-
memory/8-115-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1096-114-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/1440-118-0x0000000000000000-mapping.dmp
-
memory/1440-126-0x00000000033D0000-0x00000000033D1000-memory.dmpFilesize
4KB
-
memory/2088-123-0x000000000040747E-mapping.dmp
-
memory/2088-127-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/4092-128-0x0000000000000000-mapping.dmp