Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
13-11-2021 19:22
Static task
static1
Behavioral task
behavioral1
Sample
aee836f94d476c42f3078f1463aa6e80.exe
Resource
win7-en-20211014
General
-
Target
aee836f94d476c42f3078f1463aa6e80.exe
-
Size
360KB
-
MD5
aee836f94d476c42f3078f1463aa6e80
-
SHA1
7d53870bb3386d62020062839622933f7cbb6c1d
-
SHA256
1339aec2f0f3c803e549efce6e60bb3e7030b30b3959521554584b454f8b3b80
-
SHA512
d3328b3aede2f30fdb2b4b49cd7df51b14a374219c3a65a101c2943c7954df6bd9a7759f2628f57a42fb9da201dd55c1fa750e435bca72ed24251cb1942044cb
Malware Config
Extracted
njrat
0.7d
HacKed
rorayan1234.ddns.net:1177
081e607e651641c7b259dbca3265a32e
-
reg_key
081e607e651641c7b259dbca3265a32e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Client.exeserver.exepid process 4028 Client.exe 2028 server.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aee836f94d476c42f3078f1463aa6e80.exeClient.exeserver.exedescription pid process target process PID 2608 wrote to memory of 4028 2608 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 2608 wrote to memory of 4028 2608 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 2608 wrote to memory of 4028 2608 aee836f94d476c42f3078f1463aa6e80.exe Client.exe PID 4028 wrote to memory of 2028 4028 Client.exe server.exe PID 4028 wrote to memory of 2028 4028 Client.exe server.exe PID 4028 wrote to memory of 2028 4028 Client.exe server.exe PID 2028 wrote to memory of 392 2028 server.exe netsh.exe PID 2028 wrote to memory of 392 2028 server.exe netsh.exe PID 2028 wrote to memory of 392 2028 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee836f94d476c42f3078f1463aa6e80.exe"C:\Users\Admin\AppData\Local\Temp\aee836f94d476c42f3078f1463aa6e80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
C:\Users\Admin\AppData\Local\Temp\Client.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
226476efe7eadc5218fae9a773dae549
SHA1020cd630821a60e7c605423c55df0bd49ce2a624
SHA2562cec2446796586d7565f1765cb3767c342744770767d76d94e5517a39f15cdbf
SHA512fa95c0fece906b1e4fbfbe34798f60dee0d5f955c3b5c86f40f91cfcfb5571a9b0be7204bfc2d3f244e9c88ad62d8b33b09b145c8fed9e3f302c578b35306c46
-
memory/392-128-0x0000000000000000-mapping.dmp
-
memory/2028-124-0x0000000000000000-mapping.dmp
-
memory/2028-127-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/2608-118-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/2608-119-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/4028-120-0x0000000000000000-mapping.dmp
-
memory/4028-123-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB