Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-12-2021 23:04
Behavioral task
behavioral1
Sample
tmp/42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe
Resource
win10-en-20211208
General
-
Target
tmp/42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe
-
Size
22KB
-
MD5
c53d13780336aefe9b4318b19eba09a0
-
SHA1
90682596f5da8e19c88f77d74a569d8da8521cfa
-
SHA256
8774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
-
SHA512
9a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
Malware Config
Extracted
njrat
0.7d
test
127.0.0.1:1443
74cc423dce7f45f8f93124254b62aa00
-
reg_key
74cc423dce7f45f8f93124254b62aa00
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
worm.exepid process 1288 worm.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
worm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74cc423dce7f45f8f93124254b62aa00.exe worm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74cc423dce7f45f8f93124254b62aa00.exe worm.exe -
Loads dropped DLL 2 IoCs
Processes:
42b65022-e76e-41d7-94f1-6dd7b719243c_server.exepid process 1544 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe 1544 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
worm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\74cc423dce7f45f8f93124254b62aa00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\worm.exe\" .." worm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\74cc423dce7f45f8f93124254b62aa00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\worm.exe\" .." worm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
worm.exedescription pid process Token: SeDebugPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe Token: 33 1288 worm.exe Token: SeIncBasePriorityPrivilege 1288 worm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
42b65022-e76e-41d7-94f1-6dd7b719243c_server.exeworm.exedescription pid process target process PID 1544 wrote to memory of 1288 1544 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 1544 wrote to memory of 1288 1544 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 1544 wrote to memory of 1288 1544 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 1544 wrote to memory of 1288 1544 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 1288 wrote to memory of 280 1288 worm.exe netsh.exe PID 1288 wrote to memory of 280 1288 worm.exe netsh.exe PID 1288 wrote to memory of 280 1288 worm.exe netsh.exe PID 1288 wrote to memory of 280 1288 worm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe"C:\Users\Admin\AppData\Local\Temp\tmp\42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\worm.exe"C:\Users\Admin\AppData\Local\Temp\worm.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\worm.exe" "worm.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\worm.exeMD5
c53d13780336aefe9b4318b19eba09a0
SHA190682596f5da8e19c88f77d74a569d8da8521cfa
SHA2568774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
SHA5129a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
-
C:\Users\Admin\AppData\Local\Temp\worm.exeMD5
c53d13780336aefe9b4318b19eba09a0
SHA190682596f5da8e19c88f77d74a569d8da8521cfa
SHA2568774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
SHA5129a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
-
\Users\Admin\AppData\Local\Temp\worm.exeMD5
c53d13780336aefe9b4318b19eba09a0
SHA190682596f5da8e19c88f77d74a569d8da8521cfa
SHA2568774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
SHA5129a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
-
\Users\Admin\AppData\Local\Temp\worm.exeMD5
c53d13780336aefe9b4318b19eba09a0
SHA190682596f5da8e19c88f77d74a569d8da8521cfa
SHA2568774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
SHA5129a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
-
memory/280-63-0x0000000000000000-mapping.dmp
-
memory/1288-58-0x0000000000000000-mapping.dmp
-
memory/1288-62-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1544-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1544-55-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB