Overview
overview
10Static
static
1001/2015.5.27/01.vir
windows7_x64
301/2015.5.27/01.vir
windows10_x64
3PER-DCOMP-...ao.dll
windows7_x64
1PER-DCOMP-...ao.dll
windows10_x64
101/2015.5.27/03.exe
windows7_x64
801/2015.5.27/03.exe
windows10_x64
801/2015.5.27/04.exe
windows7_x64
101/2015.5.27/04.exe
windows10_x64
101/2015.5.27/05.exe
windows7_x64
1001/2015.5.27/05.exe
windows10_x64
1001/2015.5.27/07.exe
windows7_x64
701/2015.5.27/07.exe
windows10_x64
701/2015.5.27/09.exe
windows7_x64
1001/2015.5.27/09.exe
windows10_x64
1001/2015.5.27/10.exe
windows7_x64
1001/2015.5.27/10.exe
windows10_x64
1001/2015.5.27/12.pdf
windows7_x64
101/2015.5.27/12.pdf
windows10_x64
101/2015.5.27/13.pdf
windows7_x64
101/2015.5.27/13.pdf
windows10_x64
101/2015.5.27/14.exe
windows7_x64
801/2015.5.27/14.exe
windows10_x64
801/2015.5.27/15.dll
windows7_x64
101/2015.5.27/15.dll
windows10_x64
101/2015.5.27/16.rtf
windows7_x64
1001/2015.5.27/16.rtf
windows10_x64
101/2015.5.27/17.pdf
windows7_x64
101/2015.5.27/17.pdf
windows10_x64
101/2015.5.27/18.doc
windows7_x64
101/2015.5.27/18.doc
windows10_x64
1Analysis
-
max time kernel
161s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 13:34
Behavioral task
behavioral1
Sample
01/2015.5.27/01.vir
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01/2015.5.27/01.vir
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
PER-DCOMP-Intimacao.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PER-DCOMP-Intimacao.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
01/2015.5.27/03.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
01/2015.5.27/03.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
01/2015.5.27/04.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
01/2015.5.27/04.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
01/2015.5.27/05.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
01/2015.5.27/05.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
01/2015.5.27/07.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
01/2015.5.27/07.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
01/2015.5.27/09.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
01/2015.5.27/09.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
01/2015.5.27/10.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
01/2015.5.27/10.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
01/2015.5.27/12.pdf
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
01/2015.5.27/12.pdf
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
01/2015.5.27/13.pdf
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
01/2015.5.27/13.pdf
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
01/2015.5.27/14.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
01/2015.5.27/14.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
01/2015.5.27/15.dll
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
01/2015.5.27/15.dll
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
01/2015.5.27/16.rtf
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
01/2015.5.27/16.rtf
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
01/2015.5.27/17.pdf
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
01/2015.5.27/17.pdf
Resource
win10-en-20211208
Behavioral task
behavioral29
Sample
01/2015.5.27/18.doc
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
01/2015.5.27/18.doc
Resource
win10-en-20211208
General
-
Target
01/2015.5.27/10.exe
-
Size
22KB
-
MD5
659844803074f32b274708507df3118c
-
SHA1
104dbcade45c3a01b499bd7ecb73852a5adf6146
-
SHA256
99c065515cad2265f7f826e355c22f8c677682da498d2ae74b2cb96ee27c5ad9
-
SHA512
008d57f5846c85e6ef8ad4a35a5a6838c925dacb9c829fb420c1896581490afcfe27edbfe6e69fa7f32d5fe1eeb06d3f2f8f28eb2cda930c4ab32bf184877986
Malware Config
Extracted
njrat
0.7d
HacKed
sooosoo45.publicvm.com:1111
2c75cccb239930e4a48b4948a4a9098c
-
reg_key
2c75cccb239930e4a48b4948a4a9098c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 864 server.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
10.exepid process 1872 10.exe 1872 10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c75cccb239930e4a48b4948a4a9098c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2c75cccb239930e4a48b4948a4a9098c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe Token: 33 864 server.exe Token: SeIncBasePriorityPrivilege 864 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
10.exeserver.exedescription pid process target process PID 1872 wrote to memory of 864 1872 10.exe server.exe PID 1872 wrote to memory of 864 1872 10.exe server.exe PID 1872 wrote to memory of 864 1872 10.exe server.exe PID 1872 wrote to memory of 864 1872 10.exe server.exe PID 864 wrote to memory of 1688 864 server.exe netsh.exe PID 864 wrote to memory of 1688 864 server.exe netsh.exe PID 864 wrote to memory of 1688 864 server.exe netsh.exe PID 864 wrote to memory of 1688 864 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\10.exe"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\10.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵PID:1688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
659844803074f32b274708507df3118c
SHA1104dbcade45c3a01b499bd7ecb73852a5adf6146
SHA25699c065515cad2265f7f826e355c22f8c677682da498d2ae74b2cb96ee27c5ad9
SHA512008d57f5846c85e6ef8ad4a35a5a6838c925dacb9c829fb420c1896581490afcfe27edbfe6e69fa7f32d5fe1eeb06d3f2f8f28eb2cda930c4ab32bf184877986
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
659844803074f32b274708507df3118c
SHA1104dbcade45c3a01b499bd7ecb73852a5adf6146
SHA25699c065515cad2265f7f826e355c22f8c677682da498d2ae74b2cb96ee27c5ad9
SHA512008d57f5846c85e6ef8ad4a35a5a6838c925dacb9c829fb420c1896581490afcfe27edbfe6e69fa7f32d5fe1eeb06d3f2f8f28eb2cda930c4ab32bf184877986
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
659844803074f32b274708507df3118c
SHA1104dbcade45c3a01b499bd7ecb73852a5adf6146
SHA25699c065515cad2265f7f826e355c22f8c677682da498d2ae74b2cb96ee27c5ad9
SHA512008d57f5846c85e6ef8ad4a35a5a6838c925dacb9c829fb420c1896581490afcfe27edbfe6e69fa7f32d5fe1eeb06d3f2f8f28eb2cda930c4ab32bf184877986
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
659844803074f32b274708507df3118c
SHA1104dbcade45c3a01b499bd7ecb73852a5adf6146
SHA25699c065515cad2265f7f826e355c22f8c677682da498d2ae74b2cb96ee27c5ad9
SHA512008d57f5846c85e6ef8ad4a35a5a6838c925dacb9c829fb420c1896581490afcfe27edbfe6e69fa7f32d5fe1eeb06d3f2f8f28eb2cda930c4ab32bf184877986
-
memory/864-61-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/1872-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1872-55-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB