Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 14:28
General
-
Target
S123erver.exe
-
Size
106KB
-
MD5
9a8bfcdfb43451e84f36db37a5dbeb69
-
SHA1
631c947853ecd90f85d1ceab0d4929b6f1a567b0
-
SHA256
ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad
-
SHA512
e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92
Malware Config
Extracted
njrat
0.7d
HacKed
ODIuFRANSESCOjAyLjE2Ny4yFRANSESCODUStrik:MTIzNjE=
224a447697bf2b49e78d4ad88e1bc033
-
reg_key
224a447697bf2b49e78d4ad88e1bc033
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1648 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
S123erver.exepid process 1588 S123erver.exe 1588 S123erver.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1648 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
S123erver.exeserver.exedescription pid process target process PID 1588 wrote to memory of 1648 1588 S123erver.exe server.exe PID 1588 wrote to memory of 1648 1588 S123erver.exe server.exe PID 1588 wrote to memory of 1648 1588 S123erver.exe server.exe PID 1588 wrote to memory of 1648 1588 S123erver.exe server.exe PID 1648 wrote to memory of 1100 1648 server.exe netsh.exe PID 1648 wrote to memory of 1100 1648 server.exe netsh.exe PID 1648 wrote to memory of 1100 1648 server.exe netsh.exe PID 1648 wrote to memory of 1100 1648 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\S123erver.exe"C:\Users\Admin\AppData\Local\Temp\S123erver.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9a8bfcdfb43451e84f36db37a5dbeb69
SHA1631c947853ecd90f85d1ceab0d4929b6f1a567b0
SHA256ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad
SHA512e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9a8bfcdfb43451e84f36db37a5dbeb69
SHA1631c947853ecd90f85d1ceab0d4929b6f1a567b0
SHA256ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad
SHA512e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92
-
C:\Users\Admin\AppData\Roaming\appMD5
f478c76bbb3174dbc7fabae62224f818
SHA1bed239508bad9fcd15a9bdea1e132f62468d07d1
SHA256d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a
SHA512b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
9a8bfcdfb43451e84f36db37a5dbeb69
SHA1631c947853ecd90f85d1ceab0d4929b6f1a567b0
SHA256ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad
SHA512e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
9a8bfcdfb43451e84f36db37a5dbeb69
SHA1631c947853ecd90f85d1ceab0d4929b6f1a567b0
SHA256ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad
SHA512e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92
-
memory/1100-65-0x0000000000000000-mapping.dmp
-
memory/1588-55-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1588-56-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1648-59-0x0000000000000000-mapping.dmp
-
memory/1648-64-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB