Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-10-2021 13:01
Behavioral task
behavioral1
Sample
8320F6171990184F84338329DAE465E33EF90E1A9584E.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8320F6171990184F84338329DAE465E33EF90E1A9584E.exe
Resource
win10v20210408
General
-
Target
8320F6171990184F84338329DAE465E33EF90E1A9584E.exe
-
Size
23KB
-
MD5
a873745adb5279248a7ea3cccff26c3c
-
SHA1
551fb96900684f790fca3b2b837d1c88ef0508dc
-
SHA256
8320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
-
SHA512
09d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
Malware Config
Extracted
njrat
0.7d
Lammer
6.tcp.ngrok.io:16860
142514b06c5331e576c2b748ba1ec681
-
reg_key
142514b06c5331e576c2b748ba1ec681
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 964 Server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe Token: 33 964 Server.exe Token: SeIncBasePriorityPrivilege 964 Server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8320F6171990184F84338329DAE465E33EF90E1A9584E.exeServer.exedescription pid process target process PID 804 wrote to memory of 964 804 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 804 wrote to memory of 964 804 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 804 wrote to memory of 964 804 8320F6171990184F84338329DAE465E33EF90E1A9584E.exe Server.exe PID 964 wrote to memory of 1220 964 Server.exe netsh.exe PID 964 wrote to memory of 1220 964 Server.exe netsh.exe PID 964 wrote to memory of 1220 964 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8320F6171990184F84338329DAE465E33EF90E1A9584E.exe"C:\Users\Admin\AppData\Local\Temp\8320F6171990184F84338329DAE465E33EF90E1A9584E.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
C:\Users\Admin\AppData\Roaming\Server.exeMD5
a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
memory/804-114-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/964-115-0x0000000000000000-mapping.dmp
-
memory/964-118-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/1220-119-0x0000000000000000-mapping.dmp