Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 20:48
Static task
static1
Behavioral task
behavioral1
Sample
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
Resource
win10v2004-20220414-en
General
-
Target
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
-
Size
3.8MB
-
MD5
4252f2ca6c16c3406294894a496714bb
-
SHA1
549d7f01ab15ba44b77bcb4601929b19efe21619
-
SHA256
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d
-
SHA512
8db3820e025871a8e410ab5ccde92526fc31c1095e06757e9efd697aa0289e4199a9384b4006fe5f4026a02222a34c43cb893e3e030ab1e6cdf757f1a9c4760d
Malware Config
Extracted
njrat
0.7d
Sentry
connertyler58.ddns.net:5537
bee015c03df24a72bb52e5f747515b7e
-
reg_key
bee015c03df24a72bb52e5f747515b7e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Sentry Mba.exeSentry_MBA.exeServe.exeSentry.exepid process 980 Sentry Mba.exe 1600 Sentry_MBA.exe 1684 Serve.exe 1664 Sentry.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 4 IoCs
Processes:
Sentry.exeSentry Mba.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bee015c03df24a72bb52e5f747515b7e.exe Sentry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serve.exe Sentry Mba.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serve.exe Sentry Mba.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bee015c03df24a72bb52e5f747515b7e.exe Sentry.exe -
Loads dropped DLL 8 IoCs
Processes:
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exeSentry Mba.exeServe.exepid process 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe 980 Sentry Mba.exe 980 Sentry Mba.exe 980 Sentry Mba.exe 1684 Serve.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Sentry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\bee015c03df24a72bb52e5f747515b7e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sentry.exe\" .." Sentry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bee015c03df24a72bb52e5f747515b7e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sentry.exe\" .." Sentry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe \Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe \Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe \Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Sentry_MBA.exeSentry.exedescription pid process Token: 33 1600 Sentry_MBA.exe Token: SeIncBasePriorityPrivilege 1600 Sentry_MBA.exe Token: SeDebugPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe Token: 33 1664 Sentry.exe Token: SeIncBasePriorityPrivilege 1664 Sentry.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exeSentry Mba.exeServe.exeSentry.exedescription pid process target process PID 1280 wrote to memory of 980 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 1280 wrote to memory of 980 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 1280 wrote to memory of 980 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 1280 wrote to memory of 980 1280 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 980 wrote to memory of 1600 980 Sentry Mba.exe Sentry_MBA.exe PID 980 wrote to memory of 1600 980 Sentry Mba.exe Sentry_MBA.exe PID 980 wrote to memory of 1600 980 Sentry Mba.exe Sentry_MBA.exe PID 980 wrote to memory of 1600 980 Sentry Mba.exe Sentry_MBA.exe PID 980 wrote to memory of 1684 980 Sentry Mba.exe Serve.exe PID 980 wrote to memory of 1684 980 Sentry Mba.exe Serve.exe PID 980 wrote to memory of 1684 980 Sentry Mba.exe Serve.exe PID 980 wrote to memory of 1684 980 Sentry Mba.exe Serve.exe PID 1684 wrote to memory of 1664 1684 Serve.exe Sentry.exe PID 1684 wrote to memory of 1664 1684 Serve.exe Sentry.exe PID 1684 wrote to memory of 1664 1684 Serve.exe Sentry.exe PID 1684 wrote to memory of 1664 1684 Serve.exe Sentry.exe PID 1664 wrote to memory of 968 1664 Sentry.exe netsh.exe PID 1664 wrote to memory of 968 1664 Sentry.exe netsh.exe PID 1664 wrote to memory of 968 1664 Sentry.exe netsh.exe PID 1664 wrote to memory of 968 1664 Sentry.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe"C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe"C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeC:\Users\Admin\AppData\Local\Temp/Sentry_MBA.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Serve.exeC:\Users\Admin\AppData\Local\Temp/Serve.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sentry.exe"C:\Users\Admin\AppData\Local\Temp\Sentry.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Sentry.exe" "Sentry.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
C:\Users\Admin\AppData\Local\Temp\Sentry.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
C:\Users\Admin\AppData\Local\Temp\Sentry.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeFilesize
5.3MB
MD58c1d28b620a6c5e5a9978a871dcfd04f
SHA1274f59cf34efda4013a98147f2d3d8bcd198b467
SHA2569a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb
SHA5124718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f
-
C:\Users\Admin\AppData\Local\Temp\Serve.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
C:\Users\Admin\AppData\Local\Temp\Serve.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
\Users\Admin\AppData\Local\Temp\Sentry.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeFilesize
5.3MB
MD58c1d28b620a6c5e5a9978a871dcfd04f
SHA1274f59cf34efda4013a98147f2d3d8bcd198b467
SHA2569a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb
SHA5124718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f
-
\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeFilesize
5.3MB
MD58c1d28b620a6c5e5a9978a871dcfd04f
SHA1274f59cf34efda4013a98147f2d3d8bcd198b467
SHA2569a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb
SHA5124718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f
-
\Users\Admin\AppData\Local\Temp\Serve.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
memory/968-81-0x0000000000000000-mapping.dmp
-
memory/980-59-0x0000000000000000-mapping.dmp
-
memory/1280-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1600-65-0x0000000000000000-mapping.dmp
-
memory/1664-75-0x0000000000000000-mapping.dmp
-
memory/1664-80-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/1664-83-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/1684-69-0x0000000000000000-mapping.dmp
-
memory/1684-73-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/1684-79-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB