Analysis
-
max time kernel
153s -
max time network
80s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-09-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
Resource
win10v20210408
General
-
Target
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe
-
Size
136KB
-
MD5
359a08045b66fe5f71fde43f9a6db01b
-
SHA1
4580e9f5becff35c4c4e773931d18f2df166d9fc
-
SHA256
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
-
SHA512
81b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
server.exeserver.exepid process 1124 server.exe 1344 server.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exedescription pid process target process PID 528 set thread context of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 1124 set thread context of 1344 1124 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe Token: 33 1344 server.exe Token: SeIncBasePriorityPrivilege 1344 server.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exeserver.exeserver.exedescription pid process target process PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 528 wrote to memory of 672 528 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe PID 672 wrote to memory of 1124 672 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 672 wrote to memory of 1124 672 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 672 wrote to memory of 1124 672 3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1124 wrote to memory of 1344 1124 server.exe server.exe PID 1344 wrote to memory of 1720 1344 server.exe netsh.exe PID 1344 wrote to memory of 1720 1344 server.exe netsh.exe PID 1344 wrote to memory of 1720 1344 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"C:\Users\Admin\AppData\Local\Temp\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\3de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67.exe.logMD5
339dbc49ea5c332f15f4ead32d70d878
SHA140f169d604bf2a4e4eb2f432e3ebe0156ae8a777
SHA2564f51a0b25879f156888beec5c7a451bd6471b915c022ccd1d4caecf410784fd3
SHA5128739751b450dd669b599d50b54b04a3c835760f9456c2ac683be5331993f04bd9528a603f8cecfdfe18a1d1ddacd9b15bad84259b4ae42f77918df66eb5b5354
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.logMD5
339dbc49ea5c332f15f4ead32d70d878
SHA140f169d604bf2a4e4eb2f432e3ebe0156ae8a777
SHA2564f51a0b25879f156888beec5c7a451bd6471b915c022ccd1d4caecf410784fd3
SHA5128739751b450dd669b599d50b54b04a3c835760f9456c2ac683be5331993f04bd9528a603f8cecfdfe18a1d1ddacd9b15bad84259b4ae42f77918df66eb5b5354
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
359a08045b66fe5f71fde43f9a6db01b
SHA14580e9f5becff35c4c4e773931d18f2df166d9fc
SHA2563de70e8b308469f55fafddb2e107d3ae908005e1445eb5d1b09a7ff690f62c67
SHA51281b120f81da9b442cb008093b54893d44dad911caffc1008c7de792e1420e1bedc15deb616f745e807410f47db3c049a316a77ffe42bef6959359f39af841683
-
memory/528-114-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB
-
memory/672-117-0x0000000001100000-0x000000000124A000-memory.dmpFilesize
1.3MB
-
memory/672-116-0x000000000040747E-mapping.dmp
-
memory/672-115-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1124-118-0x0000000000000000-mapping.dmp
-
memory/1124-126-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/1344-123-0x000000000040747E-mapping.dmp
-
memory/1344-127-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1720-128-0x0000000000000000-mapping.dmp