Analysis
-
max time kernel
152s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:57
Behavioral task
behavioral1
Sample
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe
Resource
win10v2004-20220414-en
General
-
Target
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe
-
Size
37KB
-
MD5
dc30bf9e8cb09779d323ee38d22b1899
-
SHA1
f71fcca1a7261ab6976d584b9cac2bcacef78634
-
SHA256
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0
-
SHA512
c3df01f37a4e82c528a8b7ecf9cc20796af92a18b2cd8c684e7700b9df8069fc159c6a37a3717aa71568a4ff2911d5a0866b7eea490cca75e8909121a3210673
Malware Config
Extracted
njrat
im523
HacKed
192.168.0.14:5552
1f944304fc89b1ac93b5268ff3ea2fff
-
reg_key
1f944304fc89b1ac93b5268ff3ea2fff
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2020 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f944304fc89b1ac93b5268ff3ea2fff.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f944304fc89b1ac93b5268ff3ea2fff.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exepid process 972 e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1f944304fc89b1ac93b5268ff3ea2fff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1f944304fc89b1ac93b5268ff3ea2fff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1956 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe 2020 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2020 server.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
taskkill.exeserver.exedescription pid process Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe Token: 33 2020 server.exe Token: SeIncBasePriorityPrivilege 2020 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exeserver.exedescription pid process target process PID 972 wrote to memory of 2020 972 e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe server.exe PID 972 wrote to memory of 2020 972 e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe server.exe PID 972 wrote to memory of 2020 972 e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe server.exe PID 972 wrote to memory of 2020 972 e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe server.exe PID 2020 wrote to memory of 1184 2020 server.exe netsh.exe PID 2020 wrote to memory of 1184 2020 server.exe netsh.exe PID 2020 wrote to memory of 1184 2020 server.exe netsh.exe PID 2020 wrote to memory of 1184 2020 server.exe netsh.exe PID 2020 wrote to memory of 1956 2020 server.exe taskkill.exe PID 2020 wrote to memory of 1956 2020 server.exe taskkill.exe PID 2020 wrote to memory of 1956 2020 server.exe taskkill.exe PID 2020 wrote to memory of 1956 2020 server.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe"C:\Users\Admin\AppData\Local\Temp\e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
37KB
MD5dc30bf9e8cb09779d323ee38d22b1899
SHA1f71fcca1a7261ab6976d584b9cac2bcacef78634
SHA256e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0
SHA512c3df01f37a4e82c528a8b7ecf9cc20796af92a18b2cd8c684e7700b9df8069fc159c6a37a3717aa71568a4ff2911d5a0866b7eea490cca75e8909121a3210673
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
37KB
MD5dc30bf9e8cb09779d323ee38d22b1899
SHA1f71fcca1a7261ab6976d584b9cac2bcacef78634
SHA256e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0
SHA512c3df01f37a4e82c528a8b7ecf9cc20796af92a18b2cd8c684e7700b9df8069fc159c6a37a3717aa71568a4ff2911d5a0866b7eea490cca75e8909121a3210673
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
37KB
MD5dc30bf9e8cb09779d323ee38d22b1899
SHA1f71fcca1a7261ab6976d584b9cac2bcacef78634
SHA256e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0
SHA512c3df01f37a4e82c528a8b7ecf9cc20796af92a18b2cd8c684e7700b9df8069fc159c6a37a3717aa71568a4ff2911d5a0866b7eea490cca75e8909121a3210673
-
memory/972-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/972-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1184-62-0x0000000000000000-mapping.dmp
-
memory/1956-63-0x0000000000000000-mapping.dmp
-
memory/2020-57-0x0000000000000000-mapping.dmp
-
memory/2020-61-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB