Analysis
-
max time kernel
205s -
max time network
232s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:03
Behavioral task
behavioral1
Sample
dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe
Resource
win10-en-20211208
General
-
Target
dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe
-
Size
23KB
-
MD5
14c9d9e1c3f8fdb224f8877313958af5
-
SHA1
5db785abbfffb9f687e2ccddabd6a837383f8c4b
-
SHA256
dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea
-
SHA512
70ae376ec36acf2d5b6bb4a3a039f5f7ef6bbdd911016c5843d582e36546bc87b98347227b58355e498bd8f183b03f3732daae9755fb9d5be6b8320ea2b30350
Malware Config
Extracted
njrat
0.7d
HacKed
rootx.ddns.net:1993
4eaa2408a505bc0920f44b7eb6a94ef3
-
reg_key
4eaa2408a505bc0920f44b7eb6a94ef3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3212 server.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\4eaa2408a505bc0920f44b7eb6a94ef3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4eaa2408a505bc0920f44b7eb6a94ef3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe Token: 33 3212 server.exe Token: SeIncBasePriorityPrivilege 3212 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exeserver.exedescription pid process target process PID 2884 wrote to memory of 3212 2884 dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe server.exe PID 2884 wrote to memory of 3212 2884 dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe server.exe PID 2884 wrote to memory of 3212 2884 dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe server.exe PID 3212 wrote to memory of 1272 3212 server.exe netsh.exe PID 3212 wrote to memory of 1272 3212 server.exe netsh.exe PID 3212 wrote to memory of 1272 3212 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe"C:\Users\Admin\AppData\Local\Temp\dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
14c9d9e1c3f8fdb224f8877313958af5
SHA15db785abbfffb9f687e2ccddabd6a837383f8c4b
SHA256dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea
SHA51270ae376ec36acf2d5b6bb4a3a039f5f7ef6bbdd911016c5843d582e36546bc87b98347227b58355e498bd8f183b03f3732daae9755fb9d5be6b8320ea2b30350
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
14c9d9e1c3f8fdb224f8877313958af5
SHA15db785abbfffb9f687e2ccddabd6a837383f8c4b
SHA256dd2e456d8c219c112ebf0d877da739ee9b56800e0e32280a2fdbea3781c8d5ea
SHA51270ae376ec36acf2d5b6bb4a3a039f5f7ef6bbdd911016c5843d582e36546bc87b98347227b58355e498bd8f183b03f3732daae9755fb9d5be6b8320ea2b30350
-
memory/2884-118-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/3212-121-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB