Analysis
-
max time kernel
159s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-01-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
Resource
win10-en-20211208
General
-
Target
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
-
Size
134KB
-
MD5
d2d8cd908010759c378de5d945090ac6
-
SHA1
1c36a8a904b3c1570f8616b0b55d849175e313f1
-
SHA256
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5
-
SHA512
cf8ed7585b70a2619b4af5487869bb497df8e020afbed09340d60f51c76dd90105a6c608f1adca2093f5fa0111bbea13d740254e1a026d90564bc7c7ed5da48e
Malware Config
Extracted
njrat
0.7d
HacKed
basbas.no-ip.biz:5552
7f3b28763aa416cc47f3cf93980140c8
-
reg_key
7f3b28763aa416cc47f3cf93980140c8
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
SkypeIcon.exesvshost.exeserver.exepid process 332 SkypeIcon.exe 884 svshost.exe 1948 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7f3b28763aa416cc47f3cf93980140c8.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7f3b28763aa416cc47f3cf93980140c8.exe server.exe -
Loads dropped DLL 3 IoCs
Processes:
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exepid process 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\7f3b28763aa416cc47f3cf93980140c8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7f3b28763aa416cc47f3cf93980140c8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe Token: 33 1948 server.exe Token: SeIncBasePriorityPrivilege 1948 server.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exesvshost.exeserver.exedescription pid process target process PID 1592 wrote to memory of 332 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 1592 wrote to memory of 332 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 1592 wrote to memory of 332 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 1592 wrote to memory of 332 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 1592 wrote to memory of 884 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe svshost.exe PID 1592 wrote to memory of 884 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe svshost.exe PID 1592 wrote to memory of 884 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe svshost.exe PID 1592 wrote to memory of 884 1592 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe svshost.exe PID 884 wrote to memory of 1948 884 svshost.exe server.exe PID 884 wrote to memory of 1948 884 svshost.exe server.exe PID 884 wrote to memory of 1948 884 svshost.exe server.exe PID 1948 wrote to memory of 856 1948 server.exe netsh.exe PID 1948 wrote to memory of 856 1948 server.exe netsh.exe PID 1948 wrote to memory of 856 1948 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe"C:\Users\Admin\AppData\Local\Temp\a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe"C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svshost.exe"C:\Users\Admin\AppData\Local\Temp\svshost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exeMD5
00b0ace97eaa8a8f1cc1867e49b1fe74
SHA1de074ce41fa91dffca582fd80ac402f874c533fc
SHA256ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53
SHA5126e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4
-
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exeMD5
00b0ace97eaa8a8f1cc1867e49b1fe74
SHA1de074ce41fa91dffca582fd80ac402f874c533fc
SHA256ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53
SHA5126e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
\Users\Admin\AppData\Local\Temp\SkypeIcon.exeMD5
00b0ace97eaa8a8f1cc1867e49b1fe74
SHA1de074ce41fa91dffca582fd80ac402f874c533fc
SHA256ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53
SHA5126e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4
-
\Users\Admin\AppData\Local\Temp\SkypeIcon.exeMD5
00b0ace97eaa8a8f1cc1867e49b1fe74
SHA1de074ce41fa91dffca582fd80ac402f874c533fc
SHA256ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53
SHA5126e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4
-
\Users\Admin\AppData\Local\Temp\svshost.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
memory/884-64-0x00000000002B0000-0x00000000002BE000-memory.dmpFilesize
56KB
-
memory/884-65-0x00000000002F0000-0x00000000002FC000-memory.dmpFilesize
48KB
-
memory/884-66-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB
-
memory/1592-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1948-69-0x0000000001180000-0x000000000118E000-memory.dmpFilesize
56KB
-
memory/1948-71-0x0000000002590000-0x000000001AA00000-memory.dmpFilesize
388.4MB