Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
30-03-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe
Resource
win10v2004-20220331-en
General
-
Target
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe
-
Size
101KB
-
MD5
73fa54775bec045e8c86793ec7c00dc2
-
SHA1
5a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
-
SHA256
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
-
SHA512
e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
Malware Config
Extracted
njrat
im523
Hacker
192.168.0.22:5552
0d122dd52a6e1fabf394b30dede2ed0a
-
reg_key
0d122dd52a6e1fabf394b30dede2ed0a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1796 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d122dd52a6e1fabf394b30dede2ed0a.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d122dd52a6e1fabf394b30dede2ed0a.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exepid process 1456 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d122dd52a6e1fabf394b30dede2ed0a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0d122dd52a6e1fabf394b30dede2ed0a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe 1796 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1796 server.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe Token: 33 1796 server.exe Token: SeIncBasePriorityPrivilege 1796 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exeserver.exedescription pid process target process PID 1456 wrote to memory of 1796 1456 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 1456 wrote to memory of 1796 1456 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 1456 wrote to memory of 1796 1456 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 1456 wrote to memory of 1796 1456 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 1796 wrote to memory of 968 1796 server.exe netsh.exe PID 1796 wrote to memory of 968 1796 server.exe netsh.exe PID 1796 wrote to memory of 968 1796 server.exe netsh.exe PID 1796 wrote to memory of 968 1796 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe"C:\Users\Admin\AppData\Local\Temp\2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
101KB
MD573fa54775bec045e8c86793ec7c00dc2
SHA15a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
SHA2562df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
SHA512e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
101KB
MD573fa54775bec045e8c86793ec7c00dc2
SHA15a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
SHA2562df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
SHA512e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
101KB
MD573fa54775bec045e8c86793ec7c00dc2
SHA15a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
SHA2562df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
SHA512e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
-
memory/968-62-0x0000000000000000-mapping.dmp
-
memory/968-63-0x00000000769C1000-0x00000000769C3000-memory.dmpFilesize
8KB
-
memory/1456-54-0x0000000000960000-0x0000000000982000-memory.dmpFilesize
136KB
-
memory/1456-55-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/1456-56-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/1796-58-0x0000000000000000-mapping.dmp
-
memory/1796-61-0x0000000001100000-0x0000000001122000-memory.dmpFilesize
136KB