Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
01-10-2021 12:58
Behavioral task
behavioral1
Sample
8320F6171990184F84338329DAE465E33EF90E1A9584E.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
8320F6171990184F84338329DAE465E33EF90E1A9584E.exe
Resource
win10v20210408
General
-
Target
8320F6171990184F84338329DAE465E33EF90E1A9584E.exe
-
Size
23KB
-
MD5
a873745adb5279248a7ea3cccff26c3c
-
SHA1
551fb96900684f790fca3b2b837d1c88ef0508dc
-
SHA256
8320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
-
SHA512
09d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
Malware Config
Extracted
njrat
0.7d
Lammer
6.tcp.ngrok.io:16860
142514b06c5331e576c2b748ba1ec681
-
reg_key
142514b06c5331e576c2b748ba1ec681
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 2020 Server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe Server.exe -
Loads dropped DLL 1 IoCs
Processes:
8320F6171990184F84338329DAE465E33EF90E1A9584E.exepid process 2024 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe Token: 33 2020 Server.exe Token: SeIncBasePriorityPrivilege 2020 Server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8320F6171990184F84338329DAE465E33EF90E1A9584E.exeServer.exedescription pid process target process PID 2024 wrote to memory of 2020 2024 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 2024 wrote to memory of 2020 2024 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 2024 wrote to memory of 2020 2024 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 2024 wrote to memory of 2020 2024 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 2020 wrote to memory of 1420 2020 Server.exe netsh.exe PID 2020 wrote to memory of 1420 2020 Server.exe netsh.exe PID 2020 wrote to memory of 1420 2020 Server.exe netsh.exe PID 2020 wrote to memory of 1420 2020 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8320F6171990184F84338329DAE465E33EF90E1A9584E.exe"C:\Users\Admin\AppData\Local\Temp\8320F6171990184F84338329DAE465E33EF90E1A9584E.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
C:\Users\Admin\AppData\Roaming\Server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
\Users\Admin\AppData\Roaming\Server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
memory/1420-61-0x0000000000000000-mapping.dmp
-
memory/2020-56-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000001DD0000-0x0000000001DD1000-memory.dmpFilesize
4KB
-
memory/2024-53-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/2024-54-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB