Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 15:05
Static task
static1
Behavioral task
behavioral1
Sample
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe
Resource
win10v20210408
General
-
Target
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe
-
Size
863KB
-
MD5
00901973d7b977e5b42f14a629149f5b
-
SHA1
5b8a37c6bacd8157b2f7fb0a8d737ae6e29d31cb
-
SHA256
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178
-
SHA512
99119c74fc8b597a9817b696efcc59b05abbaa8f1c4e29a458817847bdd85040110b5413b4121b7c49d892cd123d7993969ffd8a1529befc2705169624ac3e96
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
1861.exeserver.exepid process 836 1861.exe 1472 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe1861.exepid process 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 836 1861.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Processes:
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe Token: 33 1472 server.exe Token: SeIncBasePriorityPrivilege 1472 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe1861.exeserver.exedescription pid process target process PID 1768 wrote to memory of 836 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 1861.exe PID 1768 wrote to memory of 836 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 1861.exe PID 1768 wrote to memory of 836 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 1861.exe PID 1768 wrote to memory of 836 1768 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe 1861.exe PID 836 wrote to memory of 1472 836 1861.exe server.exe PID 836 wrote to memory of 1472 836 1861.exe server.exe PID 836 wrote to memory of 1472 836 1861.exe server.exe PID 836 wrote to memory of 1472 836 1861.exe server.exe PID 1472 wrote to memory of 1292 1472 server.exe netsh.exe PID 1472 wrote to memory of 1292 1472 server.exe netsh.exe PID 1472 wrote to memory of 1292 1472 server.exe netsh.exe PID 1472 wrote to memory of 1292 1472 server.exe netsh.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe"C:\Users\Admin\AppData\Local\Temp\85cfeed60fa9a9134684748f9ec0089d46140bb5d300f006bc6121e9ad54c178.bin.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\1861\1861.exe"C:\Users\Admin\AppData\Local\Temp\1861\1861.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1861\1861.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
C:\Users\Admin\AppData\Local\Temp\1861\1861.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
\Users\Admin\AppData\Local\Temp\1861\1861.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
\Users\Admin\AppData\Local\Temp\1861\1861.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
\Users\Admin\AppData\Local\Temp\1861\1861.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
bebaf4e286ed9a482904bf9efcd5f434
SHA1166a080379f4dbfa316605472babd449dde77e82
SHA2560fbd7acad44985ebd797c6b6dc25fc609ed4289b63c333ab058cd33efdf41523
SHA512d64ff77c46f3f3ac5e35e825e7ea1d0f57f32e5ca0fed556acd978b2b11c9ad676032799106ca31251aa081deab90e4b8794c127ec628d87829d2ac6a81cb741
-
memory/836-58-0x0000000000000000-mapping.dmp
-
memory/836-62-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/1292-69-0x0000000000000000-mapping.dmp
-
memory/1472-64-0x0000000000000000-mapping.dmp
-
memory/1472-68-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/1768-54-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB