Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 21:55
Behavioral task
behavioral1
Sample
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe
Resource
win7-20220414-en
General
-
Target
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe
-
Size
93KB
-
MD5
618baf8e7c20ee01ebddec4d8830ab71
-
SHA1
5006da7e81c4b1b20607f1a201f92526c0861238
-
SHA256
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79
-
SHA512
1d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4
Malware Config
Extracted
njrat
0.7d
Hacker
aGFja2hvc3RuYW1lLmhvcHRvLm9yZwStrikStrik:MTk4NA==
c6941743bce17ae335bca7d6739b33d7
-
reg_key
c6941743bce17ae335bca7d6739b33d7
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 964 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6941743bce17ae335bca7d6739b33d7Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6941743bce17ae335bca7d6739b33d7Windows Update.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exepid process 1984 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe 1984 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 964 server.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe Token: 33 964 server.exe Token: SeIncBasePriorityPrivilege 964 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exeserver.exedescription pid process target process PID 1984 wrote to memory of 964 1984 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe server.exe PID 1984 wrote to memory of 964 1984 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe server.exe PID 1984 wrote to memory of 964 1984 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe server.exe PID 1984 wrote to memory of 964 1984 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe server.exe PID 964 wrote to memory of 1524 964 server.exe netsh.exe PID 964 wrote to memory of 1524 964 server.exe netsh.exe PID 964 wrote to memory of 1524 964 server.exe netsh.exe PID 964 wrote to memory of 1524 964 server.exe netsh.exe PID 964 wrote to memory of 1228 964 server.exe netsh.exe PID 964 wrote to memory of 1228 964 server.exe netsh.exe PID 964 wrote to memory of 1228 964 server.exe netsh.exe PID 964 wrote to memory of 1228 964 server.exe netsh.exe PID 964 wrote to memory of 688 964 server.exe netsh.exe PID 964 wrote to memory of 688 964 server.exe netsh.exe PID 964 wrote to memory of 688 964 server.exe netsh.exe PID 964 wrote to memory of 688 964 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe"C:\Users\Admin\AppData\Local\Temp\792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵PID:1524
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵PID:1228
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵PID:688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD58fc22f973bec7f0525710dcf02f05edf
SHA1418f88fe2c59f8d9579994aec4034d785e8ac00c
SHA256ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46
SHA512ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5618baf8e7c20ee01ebddec4d8830ab71
SHA15006da7e81c4b1b20607f1a201f92526c0861238
SHA256792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79
SHA5121d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5618baf8e7c20ee01ebddec4d8830ab71
SHA15006da7e81c4b1b20607f1a201f92526c0861238
SHA256792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79
SHA5121d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5618baf8e7c20ee01ebddec4d8830ab71
SHA15006da7e81c4b1b20607f1a201f92526c0861238
SHA256792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79
SHA5121d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5618baf8e7c20ee01ebddec4d8830ab71
SHA15006da7e81c4b1b20607f1a201f92526c0861238
SHA256792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79
SHA5121d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4
-
memory/688-67-0x0000000000000000-mapping.dmp
-
memory/964-58-0x0000000000000000-mapping.dmp
-
memory/964-63-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1228-66-0x0000000000000000-mapping.dmp
-
memory/1524-64-0x0000000000000000-mapping.dmp
-
memory/1984-54-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/1984-55-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB