Analysis
-
max time kernel
187s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 06:10
Behavioral task
behavioral1
Sample
f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe
Resource
win10v2004-20220414-en
General
-
Target
f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe
-
Size
23KB
-
MD5
d333f303d8e78b7fe5eaaa43637d8473
-
SHA1
a524da5844c7400c9fdaa305e34762578eeecbae
-
SHA256
f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d
-
SHA512
2838b599d7d9649f892a1f45f0003ea6b292aeca00597c18cec3e628420f7baf63c050ce3fb2980860ba32ce476e05bd9f708d3382f75e45b1c923295d54a05d
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1604
ad050a4ca40647f4c68a5e56134a59c2
-
reg_key
ad050a4ca40647f4c68a5e56134a59c2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1660 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ad050a4ca40647f4c68a5e56134a59c2.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ad050a4ca40647f4c68a5e56134a59c2.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exepid process 1072 f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ad050a4ca40647f4c68a5e56134a59c2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ad050a4ca40647f4c68a5e56134a59c2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe Token: 33 1660 server.exe Token: SeIncBasePriorityPrivilege 1660 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exeserver.exedescription pid process target process PID 1072 wrote to memory of 1660 1072 f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe server.exe PID 1072 wrote to memory of 1660 1072 f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe server.exe PID 1072 wrote to memory of 1660 1072 f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe server.exe PID 1072 wrote to memory of 1660 1072 f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe server.exe PID 1660 wrote to memory of 1348 1660 server.exe netsh.exe PID 1660 wrote to memory of 1348 1660 server.exe netsh.exe PID 1660 wrote to memory of 1348 1660 server.exe netsh.exe PID 1660 wrote to memory of 1348 1660 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe"C:\Users\Admin\AppData\Local\Temp\f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
23KB
MD5d333f303d8e78b7fe5eaaa43637d8473
SHA1a524da5844c7400c9fdaa305e34762578eeecbae
SHA256f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d
SHA5122838b599d7d9649f892a1f45f0003ea6b292aeca00597c18cec3e628420f7baf63c050ce3fb2980860ba32ce476e05bd9f708d3382f75e45b1c923295d54a05d
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
23KB
MD5d333f303d8e78b7fe5eaaa43637d8473
SHA1a524da5844c7400c9fdaa305e34762578eeecbae
SHA256f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d
SHA5122838b599d7d9649f892a1f45f0003ea6b292aeca00597c18cec3e628420f7baf63c050ce3fb2980860ba32ce476e05bd9f708d3382f75e45b1c923295d54a05d
-
\Users\Admin\AppData\Roaming\server.exeFilesize
23KB
MD5d333f303d8e78b7fe5eaaa43637d8473
SHA1a524da5844c7400c9fdaa305e34762578eeecbae
SHA256f2fa9802bd004a3a349d986456b69d8ddf46133430500ce455aaab2b38df154d
SHA5122838b599d7d9649f892a1f45f0003ea6b292aeca00597c18cec3e628420f7baf63c050ce3fb2980860ba32ce476e05bd9f708d3382f75e45b1c923295d54a05d
-
memory/1072-54-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1072-55-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1348-62-0x0000000000000000-mapping.dmp
-
memory/1660-57-0x0000000000000000-mapping.dmp
-
memory/1660-61-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB