Analysis
-
max time kernel
4294215s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
14-03-2022 17:24
Static task
static1
Behavioral task
behavioral1
Sample
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe
Resource
win7-20220310-en
General
-
Target
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe
-
Size
1.0MB
-
MD5
20917a3dd1b362aa03532d623fbb1622
-
SHA1
b8102145d3937c2ad99f03dd9ee8da4478b0a4a4
-
SHA256
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5
-
SHA512
ce3a5d405be750e1706b8609b2fe391740af446205651f3a93fb5bf3f911ff83ae8af526f13fcefdde0c4a36873d4a04756b40779d1cb4525251aad0407175b8
Malware Config
Extracted
njrat
0.7d
HacK
127.0.0.1:1234
8a6179254fb2f1e73fe707c1a92f1876
-
reg_key
8a6179254fb2f1e73fe707c1a92f1876
-
splitter
|'|'|
Signatures
-
Nirsoft 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft behavioral1/memory/560-66-0x0000000000F40000-0x000000000103C000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
Server.exeProcess Modules DLL.exeserver.exepid process 1112 Server.exe 560 Process Modules DLL.exe 768 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8a6179254fb2f1e73fe707c1a92f1876.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8a6179254fb2f1e73fe707c1a92f1876.exe server.exe -
Loads dropped DLL 3 IoCs
Processes:
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exeServer.exepid process 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe 1112 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a6179254fb2f1e73fe707c1a92f1876 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8a6179254fb2f1e73fe707c1a92f1876 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe Token: 33 768 server.exe Token: SeIncBasePriorityPrivilege 768 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exeServer.exeserver.exedescription pid process target process PID 1032 wrote to memory of 1112 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 1032 wrote to memory of 1112 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 1032 wrote to memory of 1112 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 1032 wrote to memory of 1112 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 1032 wrote to memory of 560 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Process Modules DLL.exe PID 1032 wrote to memory of 560 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Process Modules DLL.exe PID 1032 wrote to memory of 560 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Process Modules DLL.exe PID 1032 wrote to memory of 560 1032 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Process Modules DLL.exe PID 1112 wrote to memory of 768 1112 Server.exe server.exe PID 1112 wrote to memory of 768 1112 Server.exe server.exe PID 1112 wrote to memory of 768 1112 Server.exe server.exe PID 1112 wrote to memory of 768 1112 Server.exe server.exe PID 768 wrote to memory of 1800 768 server.exe netsh.exe PID 768 wrote to memory of 1800 768 server.exe netsh.exe PID 768 wrote to memory of 1800 768 server.exe netsh.exe PID 768 wrote to memory of 1800 768 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe"C:\Users\Admin\AppData\Local\Temp\b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
\Users\Admin\AppData\Roaming\server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
memory/560-66-0x0000000000F40000-0x000000000103C000-memory.dmpFilesize
1008KB
-
memory/560-62-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmpFilesize
9.9MB
-
memory/560-73-0x0000000000C10000-0x0000000000C12000-memory.dmpFilesize
8KB
-
memory/768-72-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/768-71-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1032-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmpFilesize
8KB
-
memory/1112-64-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1112-65-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1112-63-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB