Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
30-11-2021 01:40
Behavioral task
behavioral1
Sample
ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe
Resource
win10-en-20211104
General
-
Target
ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe
-
Size
23KB
-
MD5
4a9a55ab3ade85e8d79eb480b2792135
-
SHA1
8731a76046282b645b3a106650cee02481f10bf0
-
SHA256
ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e
-
SHA512
97b2990f012302bdfb33136791bac0f013cb702d91b4f31371b8f6020a907b0c1f580098e316c08e6e48ff1f3269bfe915431931e604b7ed4aaa0cb9c74c2cfc
Malware Config
Extracted
njrat
0.7d
HacKed
172.20.10.5:5552
ec10a8650967b67507124264e21a7053
-
reg_key
ec10a8650967b67507124264e21a7053
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Ser.exepid process 568 Ser.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Ser.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec10a8650967b67507124264e21a7053.exe Ser.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec10a8650967b67507124264e21a7053.exe Ser.exe -
Loads dropped DLL 1 IoCs
Processes:
ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exepid process 2036 ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Ser.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec10a8650967b67507124264e21a7053 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ser.exe\" .." Ser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ec10a8650967b67507124264e21a7053 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ser.exe\" .." Ser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Ser.exedescription pid process Token: SeDebugPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe Token: 33 568 Ser.exe Token: SeIncBasePriorityPrivilege 568 Ser.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exeSer.exedescription pid process target process PID 2036 wrote to memory of 568 2036 ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe Ser.exe PID 2036 wrote to memory of 568 2036 ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe Ser.exe PID 2036 wrote to memory of 568 2036 ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe Ser.exe PID 2036 wrote to memory of 568 2036 ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe Ser.exe PID 568 wrote to memory of 856 568 Ser.exe netsh.exe PID 568 wrote to memory of 856 568 Ser.exe netsh.exe PID 568 wrote to memory of 856 568 Ser.exe netsh.exe PID 568 wrote to memory of 856 568 Ser.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe"C:\Users\Admin\AppData\Local\Temp\ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\Ser.exe"C:\Users\Admin\AppData\Local\Temp\Ser.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Ser.exe" "Ser.exe" ENABLE3⤵PID:856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ser.exeMD5
4a9a55ab3ade85e8d79eb480b2792135
SHA18731a76046282b645b3a106650cee02481f10bf0
SHA256ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e
SHA51297b2990f012302bdfb33136791bac0f013cb702d91b4f31371b8f6020a907b0c1f580098e316c08e6e48ff1f3269bfe915431931e604b7ed4aaa0cb9c74c2cfc
-
C:\Users\Admin\AppData\Local\Temp\Ser.exeMD5
4a9a55ab3ade85e8d79eb480b2792135
SHA18731a76046282b645b3a106650cee02481f10bf0
SHA256ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e
SHA51297b2990f012302bdfb33136791bac0f013cb702d91b4f31371b8f6020a907b0c1f580098e316c08e6e48ff1f3269bfe915431931e604b7ed4aaa0cb9c74c2cfc
-
\Users\Admin\AppData\Local\Temp\Ser.exeMD5
4a9a55ab3ade85e8d79eb480b2792135
SHA18731a76046282b645b3a106650cee02481f10bf0
SHA256ea6e1e414c8447ceb06f18ffe15fa3c0a25c51549339abd708b4241ff8dd848e
SHA51297b2990f012302bdfb33136791bac0f013cb702d91b4f31371b8f6020a907b0c1f580098e316c08e6e48ff1f3269bfe915431931e604b7ed4aaa0cb9c74c2cfc
-
memory/568-58-0x0000000000000000-mapping.dmp
-
memory/568-62-0x0000000001EE0000-0x0000000001EE1000-memory.dmpFilesize
4KB
-
memory/856-63-0x0000000000000000-mapping.dmp
-
memory/2036-55-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2036-56-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB