Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 18:00
Behavioral task
behavioral1
Sample
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe
Resource
win7-20220414-en
General
-
Target
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe
-
Size
93KB
-
MD5
acc1465e2be291e70935abc7cf4bd21c
-
SHA1
f9ddf1b9d275e9b17fed8057eedddda15fef4a4a
-
SHA256
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d
-
SHA512
9173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213
Malware Config
Extracted
njrat
0.7d
HacKer
FRANSESCOjUuFRANSESCOjkuFRANSESCOTFRANSESCOyLjEwNAStrikStrik:MTYwNA==
43eaed72e15ff576accb4dc56c41f93d
-
reg_key
43eaed72e15ff576accb4dc56c41f93d
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 896 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\43eaed72e15ff576accb4dc56c41f93dWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\43eaed72e15ff576accb4dc56c41f93dWindows Update.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exepid process 1156 a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe 1156 a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe 896 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 896 server.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe Token: 33 896 server.exe Token: SeIncBasePriorityPrivilege 896 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exeserver.exedescription pid process target process PID 1156 wrote to memory of 896 1156 a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe server.exe PID 1156 wrote to memory of 896 1156 a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe server.exe PID 1156 wrote to memory of 896 1156 a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe server.exe PID 1156 wrote to memory of 896 1156 a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe server.exe PID 896 wrote to memory of 1284 896 server.exe netsh.exe PID 896 wrote to memory of 1284 896 server.exe netsh.exe PID 896 wrote to memory of 1284 896 server.exe netsh.exe PID 896 wrote to memory of 1284 896 server.exe netsh.exe PID 896 wrote to memory of 304 896 server.exe netsh.exe PID 896 wrote to memory of 304 896 server.exe netsh.exe PID 896 wrote to memory of 304 896 server.exe netsh.exe PID 896 wrote to memory of 304 896 server.exe netsh.exe PID 896 wrote to memory of 916 896 server.exe netsh.exe PID 896 wrote to memory of 916 896 server.exe netsh.exe PID 896 wrote to memory of 916 896 server.exe netsh.exe PID 896 wrote to memory of 916 896 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe"C:\Users\Admin\AppData\Local\Temp\a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD5acc1465e2be291e70935abc7cf4bd21c
SHA1f9ddf1b9d275e9b17fed8057eedddda15fef4a4a
SHA256a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d
SHA5129173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD5acc1465e2be291e70935abc7cf4bd21c
SHA1f9ddf1b9d275e9b17fed8057eedddda15fef4a4a
SHA256a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d
SHA5129173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD55fa01e3399c29de16299d5f4ac743fb2
SHA104e29a03c4a56cf097701f34d6d2999b93035327
SHA2566918b0e9f3af6051db0828a0ec9b353222b84164dab5ed3c85310eefce166223
SHA5125492642165fb12e782f71ba84e8a673ecc047a8a8b3f2f59b64fa8200212326d36ed576fd119ffd0134f1daa03d14069ead81f0e29c2d59de10cdf4bbf2dc90c
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD5acc1465e2be291e70935abc7cf4bd21c
SHA1f9ddf1b9d275e9b17fed8057eedddda15fef4a4a
SHA256a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d
SHA5129173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD5acc1465e2be291e70935abc7cf4bd21c
SHA1f9ddf1b9d275e9b17fed8057eedddda15fef4a4a
SHA256a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d
SHA5129173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213
-
memory/304-66-0x0000000000000000-mapping.dmp
-
memory/896-58-0x0000000000000000-mapping.dmp
-
memory/896-62-0x0000000073FB0000-0x000000007455B000-memory.dmpFilesize
5.7MB
-
memory/916-67-0x0000000000000000-mapping.dmp
-
memory/1156-54-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB
-
memory/1156-55-0x0000000073FB0000-0x000000007455B000-memory.dmpFilesize
5.7MB
-
memory/1284-64-0x0000000000000000-mapping.dmp