Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
Resource
win10-en-20211208
General
-
Target
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
-
Size
134KB
-
MD5
d2d8cd908010759c378de5d945090ac6
-
SHA1
1c36a8a904b3c1570f8616b0b55d849175e313f1
-
SHA256
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5
-
SHA512
cf8ed7585b70a2619b4af5487869bb497df8e020afbed09340d60f51c76dd90105a6c608f1adca2093f5fa0111bbea13d740254e1a026d90564bc7c7ed5da48e
Malware Config
Extracted
njrat
0.7d
HacKed
basbas.no-ip.biz:5552
7f3b28763aa416cc47f3cf93980140c8
-
reg_key
7f3b28763aa416cc47f3cf93980140c8
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
SkypeIcon.exesvshost.exeserver.exepid process 3596 SkypeIcon.exe 1288 svshost.exe 924 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7f3b28763aa416cc47f3cf93980140c8.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7f3b28763aa416cc47f3cf93980140c8.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\7f3b28763aa416cc47f3cf93980140c8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7f3b28763aa416cc47f3cf93980140c8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe Token: 33 924 server.exe Token: SeIncBasePriorityPrivilege 924 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exesvshost.exeserver.exedescription pid process target process PID 2368 wrote to memory of 3596 2368 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 2368 wrote to memory of 3596 2368 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 2368 wrote to memory of 3596 2368 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe SkypeIcon.exe PID 2368 wrote to memory of 1288 2368 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe svshost.exe PID 2368 wrote to memory of 1288 2368 a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe svshost.exe PID 1288 wrote to memory of 924 1288 svshost.exe server.exe PID 1288 wrote to memory of 924 1288 svshost.exe server.exe PID 924 wrote to memory of 3604 924 server.exe netsh.exe PID 924 wrote to memory of 3604 924 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe"C:\Users\Admin\AppData\Local\Temp\a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe"C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svshost.exe"C:\Users\Admin\AppData\Local\Temp\svshost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exeMD5
00b0ace97eaa8a8f1cc1867e49b1fe74
SHA1de074ce41fa91dffca582fd80ac402f874c533fc
SHA256ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53
SHA5126e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4
-
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exeMD5
00b0ace97eaa8a8f1cc1867e49b1fe74
SHA1de074ce41fa91dffca582fd80ac402f874c533fc
SHA256ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53
SHA5126e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeMD5
acc84e35e4fcffa454639189fc4ae89d
SHA19b366eec0ee57722eb163c3375a726c12d3a2d80
SHA25645b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087
SHA5123959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6
-
memory/924-126-0x0000000002810000-0x0000000002850000-memory.dmpFilesize
256KB
-
memory/1288-122-0x0000000000360000-0x000000000036E000-memory.dmpFilesize
56KB
-
memory/1288-123-0x0000000002310000-0x000000000231C000-memory.dmpFilesize
48KB