Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 23:04
Behavioral task
behavioral1
Sample
tmp/42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe
Resource
win10-en-20211208
General
-
Target
tmp/42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe
-
Size
22KB
-
MD5
c53d13780336aefe9b4318b19eba09a0
-
SHA1
90682596f5da8e19c88f77d74a569d8da8521cfa
-
SHA256
8774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
-
SHA512
9a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
Malware Config
Extracted
njrat
0.7d
test
127.0.0.1:1443
74cc423dce7f45f8f93124254b62aa00
-
reg_key
74cc423dce7f45f8f93124254b62aa00
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
worm.exepid process 4320 worm.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
worm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74cc423dce7f45f8f93124254b62aa00.exe worm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74cc423dce7f45f8f93124254b62aa00.exe worm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
worm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\74cc423dce7f45f8f93124254b62aa00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\worm.exe\" .." worm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\74cc423dce7f45f8f93124254b62aa00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\worm.exe\" .." worm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
worm.exedescription pid process Token: SeDebugPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe Token: 33 4320 worm.exe Token: SeIncBasePriorityPrivilege 4320 worm.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
42b65022-e76e-41d7-94f1-6dd7b719243c_server.exeworm.exedescription pid process target process PID 2140 wrote to memory of 4320 2140 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 2140 wrote to memory of 4320 2140 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 2140 wrote to memory of 4320 2140 42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe worm.exe PID 4320 wrote to memory of 1644 4320 worm.exe netsh.exe PID 4320 wrote to memory of 1644 4320 worm.exe netsh.exe PID 4320 wrote to memory of 1644 4320 worm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe"C:\Users\Admin\AppData\Local\Temp\tmp\42b65022-e76e-41d7-94f1-6dd7b719243c_server.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\worm.exe"C:\Users\Admin\AppData\Local\Temp\worm.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\worm.exe" "worm.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\worm.exeMD5
c53d13780336aefe9b4318b19eba09a0
SHA190682596f5da8e19c88f77d74a569d8da8521cfa
SHA2568774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
SHA5129a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
-
C:\Users\Admin\AppData\Local\Temp\worm.exeMD5
c53d13780336aefe9b4318b19eba09a0
SHA190682596f5da8e19c88f77d74a569d8da8521cfa
SHA2568774a2f15efbfc88e6a7c1831074909d1fbddbe895f2d900b111ccce16178c03
SHA5129a7249c1d5e33add5b0d84dee20e5641789d202f774e77e3a902271550e88f35f2a7d0f70a151a46908d87d91e19641296e6e4ec94d5ba52aec65ef73a3c4c83
-
memory/1644-120-0x0000000000000000-mapping.dmp
-
memory/2140-115-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/4320-116-0x0000000000000000-mapping.dmp
-
memory/4320-119-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB