Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
30-11-2021 21:19
Behavioral task
behavioral1
Sample
a31e6ca5620db4da55f0ad19e6ce16ef.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
a31e6ca5620db4da55f0ad19e6ce16ef.exe
Resource
win10-en-20211104
General
-
Target
a31e6ca5620db4da55f0ad19e6ce16ef.exe
-
Size
37KB
-
MD5
a31e6ca5620db4da55f0ad19e6ce16ef
-
SHA1
76977e85c771c15beb0e68054d372528013544fd
-
SHA256
5c4644f3f478085f4731a7cb10da859599837a8f5315be6d9e549029bc5c5892
-
SHA512
7d767df06e4df25af4cdee1526d8bc5e158748a7bd9ca56e6af571f06e1508e616b274f996a23e242f8ec6c42dab06663e5d1a341596d5fd84804d526dc6de08
Malware Config
Extracted
njrat
im523
HacKed
4.tcp.ngrok.io:12732
9e02680d81daa6109823601d69f471c3
-
reg_key
9e02680d81daa6109823601d69f471c3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1484 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e02680d81daa6109823601d69f471c3.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e02680d81daa6109823601d69f471c3.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
a31e6ca5620db4da55f0ad19e6ce16ef.exepid process 2040 a31e6ca5620db4da55f0ad19e6ce16ef.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e02680d81daa6109823601d69f471c3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9e02680d81daa6109823601d69f471c3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a31e6ca5620db4da55f0ad19e6ce16ef.exeserver.exedescription pid process target process PID 2040 wrote to memory of 1484 2040 a31e6ca5620db4da55f0ad19e6ce16ef.exe server.exe PID 2040 wrote to memory of 1484 2040 a31e6ca5620db4da55f0ad19e6ce16ef.exe server.exe PID 2040 wrote to memory of 1484 2040 a31e6ca5620db4da55f0ad19e6ce16ef.exe server.exe PID 2040 wrote to memory of 1484 2040 a31e6ca5620db4da55f0ad19e6ce16ef.exe server.exe PID 1484 wrote to memory of 924 1484 server.exe netsh.exe PID 1484 wrote to memory of 924 1484 server.exe netsh.exe PID 1484 wrote to memory of 924 1484 server.exe netsh.exe PID 1484 wrote to memory of 924 1484 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31e6ca5620db4da55f0ad19e6ce16ef.exe"C:\Users\Admin\AppData\Local\Temp\a31e6ca5620db4da55f0ad19e6ce16ef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
a31e6ca5620db4da55f0ad19e6ce16ef
SHA176977e85c771c15beb0e68054d372528013544fd
SHA2565c4644f3f478085f4731a7cb10da859599837a8f5315be6d9e549029bc5c5892
SHA5127d767df06e4df25af4cdee1526d8bc5e158748a7bd9ca56e6af571f06e1508e616b274f996a23e242f8ec6c42dab06663e5d1a341596d5fd84804d526dc6de08
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
a31e6ca5620db4da55f0ad19e6ce16ef
SHA176977e85c771c15beb0e68054d372528013544fd
SHA2565c4644f3f478085f4731a7cb10da859599837a8f5315be6d9e549029bc5c5892
SHA5127d767df06e4df25af4cdee1526d8bc5e158748a7bd9ca56e6af571f06e1508e616b274f996a23e242f8ec6c42dab06663e5d1a341596d5fd84804d526dc6de08
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
a31e6ca5620db4da55f0ad19e6ce16ef
SHA176977e85c771c15beb0e68054d372528013544fd
SHA2565c4644f3f478085f4731a7cb10da859599837a8f5315be6d9e549029bc5c5892
SHA5127d767df06e4df25af4cdee1526d8bc5e158748a7bd9ca56e6af571f06e1508e616b274f996a23e242f8ec6c42dab06663e5d1a341596d5fd84804d526dc6de08
-
memory/924-63-0x0000000000000000-mapping.dmp
-
memory/1484-58-0x0000000000000000-mapping.dmp
-
memory/1484-62-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2040-55-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/2040-56-0x0000000076761000-0x0000000076763000-memory.dmpFilesize
8KB