Analysis
-
max time kernel
4294211s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
10-03-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
Resource
win7-20220223-en
General
-
Target
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
-
Size
2.1MB
-
MD5
c0d3b6f38e5253f59f2f15cdcf14edf0
-
SHA1
4442c0d76b86470ebd8d8cea91382107ff9ad96d
-
SHA256
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6
-
SHA512
578d245a5e7444a741d946dd20b7e9506ac7436ed08132af7549d12f293b9e92d9c3c7174284c92a7a8802211799dc09847f3428c758da0632c471b3aa80e696
Malware Config
Extracted
njrat
0.7d
HacK
127.0.0.1:1234
8a6179254fb2f1e73fe707c1a92f1876
-
reg_key
8a6179254fb2f1e73fe707c1a92f1876
-
splitter
|'|'|
Signatures
-
Nirsoft 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft behavioral1/memory/864-62-0x0000000000F40000-0x000000000103C000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
Server.exeProcess Modules DLL.exeserver.exepid process 1876 Server.exe 864 Process Modules DLL.exe 292 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8a6179254fb2f1e73fe707c1a92f1876.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8a6179254fb2f1e73fe707c1a92f1876.exe server.exe -
Loads dropped DLL 3 IoCs
Processes:
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exeServer.exepid process 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe 1876 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a6179254fb2f1e73fe707c1a92f1876 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8a6179254fb2f1e73fe707c1a92f1876 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Process Modules DLL.exepid process 864 Process Modules DLL.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe Token: 33 292 server.exe Token: SeIncBasePriorityPrivilege 292 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exeServer.exeserver.exedescription pid process target process PID 2040 wrote to memory of 1876 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 2040 wrote to memory of 1876 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 2040 wrote to memory of 1876 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 2040 wrote to memory of 1876 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 2040 wrote to memory of 864 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Process Modules DLL.exe PID 2040 wrote to memory of 864 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Process Modules DLL.exe PID 2040 wrote to memory of 864 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Process Modules DLL.exe PID 2040 wrote to memory of 864 2040 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Process Modules DLL.exe PID 1876 wrote to memory of 292 1876 Server.exe server.exe PID 1876 wrote to memory of 292 1876 Server.exe server.exe PID 1876 wrote to memory of 292 1876 Server.exe server.exe PID 1876 wrote to memory of 292 1876 Server.exe server.exe PID 292 wrote to memory of 1164 292 server.exe netsh.exe PID 292 wrote to memory of 1164 292 server.exe netsh.exe PID 292 wrote to memory of 1164 292 server.exe netsh.exe PID 292 wrote to memory of 1164 292 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe"C:\Users\Admin\AppData\Local\Temp\3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
\Users\Admin\AppData\Roaming\server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
memory/292-72-0x0000000074050000-0x00000000745FB000-memory.dmpFilesize
5.7MB
-
memory/292-73-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/864-67-0x000000001B450000-0x000000001B452000-memory.dmpFilesize
8KB
-
memory/864-64-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/864-62-0x0000000000F40000-0x000000000103C000-memory.dmpFilesize
1008KB
-
memory/864-75-0x000000001B452000-0x000000001B453000-memory.dmpFilesize
4KB
-
memory/864-76-0x000000001B457000-0x000000001B476000-memory.dmpFilesize
124KB
-
memory/1876-66-0x0000000074050000-0x00000000745FB000-memory.dmpFilesize
5.7MB
-
memory/1876-65-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/1876-63-0x0000000074050000-0x00000000745FB000-memory.dmpFilesize
5.7MB
-
memory/2040-54-0x0000000075751000-0x0000000075753000-memory.dmpFilesize
8KB