Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:31
Behavioral task
behavioral1
Sample
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
Resource
win7-20220414-en
General
-
Target
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
-
Size
93KB
-
MD5
34307aa6518e2d8793bbcc79ecee7fc0
-
SHA1
019d4bd745bfc4d36f196ed6ed41d81e478c0d10
-
SHA256
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
-
SHA512
6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTM1Nzg=
73137daa68006467b187b2f414df684d
-
reg_key
73137daa68006467b187b2f414df684d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1208 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exepid process 2024 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe 2024 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1208 server.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe Token: 33 1208 server.exe Token: SeIncBasePriorityPrivilege 1208 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exeserver.exedescription pid process target process PID 2024 wrote to memory of 1208 2024 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 2024 wrote to memory of 1208 2024 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 2024 wrote to memory of 1208 2024 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 2024 wrote to memory of 1208 2024 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 1208 wrote to memory of 1948 1208 server.exe netsh.exe PID 1208 wrote to memory of 1948 1208 server.exe netsh.exe PID 1208 wrote to memory of 1948 1208 server.exe netsh.exe PID 1208 wrote to memory of 1948 1208 server.exe netsh.exe PID 1208 wrote to memory of 1608 1208 server.exe netsh.exe PID 1208 wrote to memory of 1608 1208 server.exe netsh.exe PID 1208 wrote to memory of 1608 1208 server.exe netsh.exe PID 1208 wrote to memory of 1608 1208 server.exe netsh.exe PID 1208 wrote to memory of 896 1208 server.exe netsh.exe PID 1208 wrote to memory of 896 1208 server.exe netsh.exe PID 1208 wrote to memory of 896 1208 server.exe netsh.exe PID 1208 wrote to memory of 896 1208 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe"C:\Users\Admin\AppData\Local\Temp\53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD534307aa6518e2d8793bbcc79ecee7fc0
SHA1019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA25653865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA5126ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD534307aa6518e2d8793bbcc79ecee7fc0
SHA1019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA25653865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA5126ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD553ce6d1ae8885b5d12e654469f456c83
SHA19d8b30c523ddef4d24134072b27716bec7d94d6f
SHA256d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2
SHA512c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD534307aa6518e2d8793bbcc79ecee7fc0
SHA1019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA25653865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA5126ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD534307aa6518e2d8793bbcc79ecee7fc0
SHA1019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA25653865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA5126ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
-
memory/896-67-0x0000000000000000-mapping.dmp
-
memory/1208-58-0x0000000000000000-mapping.dmp
-
memory/1208-63-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/1608-66-0x0000000000000000-mapping.dmp
-
memory/1948-64-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/2024-55-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB