Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 04:58
Behavioral task
behavioral1
Sample
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
Resource
win7-en-20211208
General
-
Target
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
-
Size
93KB
-
MD5
a32cfcc44e02557cdaa58e5d0d0bfecf
-
SHA1
e528b1545dad304a0e11c5b3d85a54bcb6d08124
-
SHA256
b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
-
SHA512
7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60
Malware Config
Extracted
njrat
0.7d
otcuser
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTAzNzI=
26996ddd51e9bdc1472eeb1acc1c554a
-
reg_key
26996ddd51e9bdc1472eeb1acc1c554a
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1912 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe server.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 2 IoCs
Processes:
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exedescription ioc process File created C:\Windows\server.exe B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe 1912 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1912 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe Token: 33 1912 server.exe Token: SeIncBasePriorityPrivilege 1912 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exedescription pid process target process PID 2760 wrote to memory of 1912 2760 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 2760 wrote to memory of 1912 2760 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 2760 wrote to memory of 1912 2760 B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe server.exe PID 1912 wrote to memory of 504 1912 server.exe netsh.exe PID 1912 wrote to memory of 504 1912 server.exe netsh.exe PID 1912 wrote to memory of 504 1912 server.exe netsh.exe PID 1912 wrote to memory of 1932 1912 server.exe netsh.exe PID 1912 wrote to memory of 1932 1912 server.exe netsh.exe PID 1912 wrote to memory of 1932 1912 server.exe netsh.exe PID 1912 wrote to memory of 2304 1912 server.exe netsh.exe PID 1912 wrote to memory of 2304 1912 server.exe netsh.exe PID 1912 wrote to memory of 2304 1912 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe"C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Windows\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appMD5
bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
C:\Windows\server.exeMD5
a32cfcc44e02557cdaa58e5d0d0bfecf
SHA1e528b1545dad304a0e11c5b3d85a54bcb6d08124
SHA256b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
SHA5127a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60
-
C:\Windows\server.exeMD5
a32cfcc44e02557cdaa58e5d0d0bfecf
SHA1e528b1545dad304a0e11c5b3d85a54bcb6d08124
SHA256b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
SHA5127a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60
-
memory/504-121-0x0000000000000000-mapping.dmp
-
memory/1912-116-0x0000000000000000-mapping.dmp
-
memory/1912-120-0x0000000002B30000-0x0000000002B31000-memory.dmpFilesize
4KB
-
memory/1932-122-0x0000000000000000-mapping.dmp
-
memory/2304-123-0x0000000000000000-mapping.dmp
-
memory/2760-115-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB