Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
13-11-2021 19:22
Static task
static1
Behavioral task
behavioral1
Sample
aee836f94d476c42f3078f1463aa6e80.exe
Resource
win7-en-20211014
General
-
Target
aee836f94d476c42f3078f1463aa6e80.exe
-
Size
360KB
-
MD5
aee836f94d476c42f3078f1463aa6e80
-
SHA1
7d53870bb3386d62020062839622933f7cbb6c1d
-
SHA256
1339aec2f0f3c803e549efce6e60bb3e7030b30b3959521554584b454f8b3b80
-
SHA512
d3328b3aede2f30fdb2b4b49cd7df51b14a374219c3a65a101c2943c7954df6bd9a7759f2628f57a42fb9da201dd55c1fa750e435bca72ed24251cb1942044cb
Malware Config
Extracted
njrat
0.7d
HacKed
rorayan1234.ddns.net:1177
081e607e651641c7b259dbca3265a32e
-
reg_key
081e607e651641c7b259dbca3265a32e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Client.exeserver.exepid process 856 Client.exe 408 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
aee836f94d476c42f3078f1463aa6e80.exeClient.exepid process 268 aee836f94d476c42f3078f1463aa6e80.exe 268 aee836f94d476c42f3078f1463aa6e80.exe 268 aee836f94d476c42f3078f1463aa6e80.exe 856 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe Token: 33 408 server.exe Token: SeIncBasePriorityPrivilege 408 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aee836f94d476c42f3078f1463aa6e80.exeClient.exeserver.exedescription pid process target process PID 268 wrote to memory of 856 268 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 268 wrote to memory of 856 268 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 268 wrote to memory of 856 268 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 268 wrote to memory of 856 268 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 856 wrote to memory of 408 856 Client.exe server.exe PID 856 wrote to memory of 408 856 Client.exe server.exe PID 856 wrote to memory of 408 856 Client.exe server.exe PID 856 wrote to memory of 408 856 Client.exe server.exe PID 408 wrote to memory of 1672 408 server.exe netsh.exe PID 408 wrote to memory of 1672 408 server.exe netsh.exe PID 408 wrote to memory of 1672 408 server.exe netsh.exe PID 408 wrote to memory of 1672 408 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee836f94d476c42f3078f1463aa6e80.exe"C:\Users\Admin\AppData\Local\Temp\aee836f94d476c42f3078f1463aa6e80.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
C:\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
memory/268-63-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/268-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/408-66-0x0000000000000000-mapping.dmp
-
memory/408-70-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/856-59-0x0000000000000000-mapping.dmp
-
memory/856-64-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1672-71-0x0000000000000000-mapping.dmp