Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 14:26
Behavioral task
behavioral1
Sample
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe
Resource
win10v2004-20220414-en
General
-
Target
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe
-
Size
23KB
-
MD5
dafc19b65a1d5c42989e2258f51cbe44
-
SHA1
d87e886de1bd237ece73a000ed8e2891b0e7d241
-
SHA256
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83
-
SHA512
605e24bba49573d01a85e53d406f97540bf10312bf221c896d10e78eb1b237f19c7e46ed04ab8540a6f27aedbe5e48d3724c72503cb3ec8fe85c7834e62aa4ca
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:8808
f974c04cda44f6d8679500cc9da12bdb
-
reg_key
f974c04cda44f6d8679500cc9da12bdb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1720 server.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\f974c04cda44f6d8679500cc9da12bdb = "\"C:\\Windows\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f974c04cda44f6d8679500cc9da12bdb = "\"C:\\Windows\\server.exe\" .." server.exe -
Drops file in Windows directory 1 IoCs
Processes:
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exedescription ioc process File created C:\Windows\server.exe 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe Token: 33 1720 server.exe Token: SeIncBasePriorityPrivilege 1720 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exeserver.exedescription pid process target process PID 1224 wrote to memory of 1720 1224 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 1224 wrote to memory of 1720 1224 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 1224 wrote to memory of 1720 1224 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 1224 wrote to memory of 1720 1224 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 1720 wrote to memory of 1632 1720 server.exe netsh.exe PID 1720 wrote to memory of 1632 1720 server.exe netsh.exe PID 1720 wrote to memory of 1632 1720 server.exe netsh.exe PID 1720 wrote to memory of 1632 1720 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe"C:\Users\Admin\AppData\Local\Temp\5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\server.exeFilesize
23KB
MD5dafc19b65a1d5c42989e2258f51cbe44
SHA1d87e886de1bd237ece73a000ed8e2891b0e7d241
SHA2565a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83
SHA512605e24bba49573d01a85e53d406f97540bf10312bf221c896d10e78eb1b237f19c7e46ed04ab8540a6f27aedbe5e48d3724c72503cb3ec8fe85c7834e62aa4ca
-
C:\Windows\server.exeFilesize
23KB
MD5dafc19b65a1d5c42989e2258f51cbe44
SHA1d87e886de1bd237ece73a000ed8e2891b0e7d241
SHA2565a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83
SHA512605e24bba49573d01a85e53d406f97540bf10312bf221c896d10e78eb1b237f19c7e46ed04ab8540a6f27aedbe5e48d3724c72503cb3ec8fe85c7834e62aa4ca
-
memory/1224-54-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1224-55-0x0000000074AE0000-0x000000007508B000-memory.dmpFilesize
5.7MB
-
memory/1632-61-0x0000000000000000-mapping.dmp
-
memory/1720-56-0x0000000000000000-mapping.dmp
-
memory/1720-60-0x0000000074AE0000-0x000000007508B000-memory.dmpFilesize
5.7MB