Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10-11-2021 03:36
Behavioral task
behavioral1
Sample
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
Resource
win7-en-20211104
General
-
Target
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
-
Size
93KB
-
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
-
SHA1
b524af77112c726613fac681ba93d174e5c31932
-
SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
-
SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTIxNjE=
854ee8c16d20a740152aef12b1a29af6
-
reg_key
854ee8c16d20a740152aef12b1a29af6
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3032 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3032 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exeserver.exedescription pid process target process PID 1552 wrote to memory of 3032 1552 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 1552 wrote to memory of 3032 1552 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 1552 wrote to memory of 3032 1552 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 3032 wrote to memory of 1104 3032 server.exe netsh.exe PID 3032 wrote to memory of 1104 3032 server.exe netsh.exe PID 3032 wrote to memory of 1104 3032 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
C:\Users\Admin\AppData\Roaming\appMD5
bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
memory/1104-121-0x0000000000000000-mapping.dmp
-
memory/1552-115-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/3032-116-0x0000000000000000-mapping.dmp
-
memory/3032-120-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB