Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-12-2021 04:58
Behavioral task
behavioral1
Sample
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
Resource
win7-en-20211208
General
-
Target
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
-
Size
93KB
-
MD5
a32cfcc44e02557cdaa58e5d0d0bfecf
-
SHA1
e528b1545dad304a0e11c5b3d85a54bcb6d08124
-
SHA256
b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
-
SHA512
7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60
Malware Config
Extracted
njrat
0.7d
otcuser
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTAzNzI=
26996ddd51e9bdc1472eeb1acc1c554a
-
reg_key
26996ddd51e9bdc1472eeb1acc1c554a
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1348 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe server.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 2 IoCs
Processes:
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exedescription ioc process File created C:\Windows\server.exe B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe 1348 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1348 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe Token: 33 1348 server.exe Token: SeIncBasePriorityPrivilege 1348 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exedescription pid process target process PID 796 wrote to memory of 1348 796 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 796 wrote to memory of 1348 796 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 796 wrote to memory of 1348 796 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 796 wrote to memory of 1348 796 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 1348 wrote to memory of 1572 1348 server.exe netsh.exe PID 1348 wrote to memory of 1572 1348 server.exe netsh.exe PID 1348 wrote to memory of 1572 1348 server.exe netsh.exe PID 1348 wrote to memory of 1572 1348 server.exe netsh.exe PID 1348 wrote to memory of 300 1348 server.exe netsh.exe PID 1348 wrote to memory of 300 1348 server.exe netsh.exe PID 1348 wrote to memory of 300 1348 server.exe netsh.exe PID 1348 wrote to memory of 300 1348 server.exe netsh.exe PID 1348 wrote to memory of 880 1348 server.exe netsh.exe PID 1348 wrote to memory of 880 1348 server.exe netsh.exe PID 1348 wrote to memory of 880 1348 server.exe netsh.exe PID 1348 wrote to memory of 880 1348 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe"C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Windows\server.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appMD5
a65a8cc18c0fdcac3b78ed8f032e2f98
SHA19087f7aaf4edf3b132348b1e5dfa7a678d57d40e
SHA256ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a
SHA5128e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d
-
C:\Windows\server.exeMD5
a32cfcc44e02557cdaa58e5d0d0bfecf
SHA1e528b1545dad304a0e11c5b3d85a54bcb6d08124
SHA256b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
SHA5127a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60
-
C:\Windows\server.exeMD5
a32cfcc44e02557cdaa58e5d0d0bfecf
SHA1e528b1545dad304a0e11c5b3d85a54bcb6d08124
SHA256b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
SHA5127a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60
-
memory/300-63-0x0000000000000000-mapping.dmp
-
memory/796-53-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/796-54-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/880-64-0x0000000000000000-mapping.dmp
-
memory/1348-55-0x0000000000000000-mapping.dmp
-
memory/1348-60-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1572-61-0x0000000000000000-mapping.dmp