Analysis
-
max time kernel
150s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:30
Behavioral task
behavioral1
Sample
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe
Resource
win10v2004-20220414-en
General
-
Target
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe
-
Size
23KB
-
MD5
264cc8acfd74b2dc61c4601ebed22625
-
SHA1
4d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
-
SHA256
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
-
SHA512
8eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
Malware Config
Extracted
njrat
0.7d
HacKed
ranjeethubb-47583.portmap.io:47583
784d648927e34213cad028b43aa070c4
-
reg_key
784d648927e34213cad028b43aa070c4
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1736 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\784d648927e34213cad028b43aa070c4.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\784d648927e34213cad028b43aa070c4.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exepid process 1936 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\784d648927e34213cad028b43aa070c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\784d648927e34213cad028b43aa070c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exeserver.exedescription pid process target process PID 1936 wrote to memory of 1736 1936 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 1936 wrote to memory of 1736 1936 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 1936 wrote to memory of 1736 1936 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 1936 wrote to memory of 1736 1936 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 1736 wrote to memory of 1488 1736 server.exe netsh.exe PID 1736 wrote to memory of 1488 1736 server.exe netsh.exe PID 1736 wrote to memory of 1488 1736 server.exe netsh.exe PID 1736 wrote to memory of 1488 1736 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe"C:\Users\Admin\AppData\Local\Temp\1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5264cc8acfd74b2dc61c4601ebed22625
SHA14d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
SHA2561aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
SHA5128eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5264cc8acfd74b2dc61c4601ebed22625
SHA14d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
SHA2561aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
SHA5128eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5264cc8acfd74b2dc61c4601ebed22625
SHA14d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
SHA2561aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
SHA5128eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
-
memory/1488-62-0x0000000000000000-mapping.dmp
-
memory/1736-57-0x0000000000000000-mapping.dmp
-
memory/1736-61-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1936-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1936-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB