Analysis
-
max time kernel
152s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 20:48
Static task
static1
Behavioral task
behavioral1
Sample
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
Resource
win10v2004-20220414-en
General
-
Target
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
-
Size
3.8MB
-
MD5
4252f2ca6c16c3406294894a496714bb
-
SHA1
549d7f01ab15ba44b77bcb4601929b19efe21619
-
SHA256
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d
-
SHA512
8db3820e025871a8e410ab5ccde92526fc31c1095e06757e9efd697aa0289e4199a9384b4006fe5f4026a02222a34c43cb893e3e030ab1e6cdf757f1a9c4760d
Malware Config
Extracted
njrat
0.7d
Sentry
connertyler58.ddns.net:5537
bee015c03df24a72bb52e5f747515b7e
-
reg_key
bee015c03df24a72bb52e5f747515b7e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Sentry Mba.exeSentry_MBA.exeServe.exeSentry.exepid process 1812 Sentry Mba.exe 1200 Sentry_MBA.exe 4260 Serve.exe 2904 Sentry.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exeServe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Serve.exe -
Drops startup file 4 IoCs
Processes:
Sentry Mba.exeSentry.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serve.exe Sentry Mba.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serve.exe Sentry Mba.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bee015c03df24a72bb52e5f747515b7e.exe Sentry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bee015c03df24a72bb52e5f747515b7e.exe Sentry.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Sentry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bee015c03df24a72bb52e5f747515b7e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sentry.exe\" .." Sentry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bee015c03df24a72bb52e5f747515b7e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sentry.exe\" .." Sentry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Sentry_MBA.exeSentry.exedescription pid process Token: 33 1200 Sentry_MBA.exe Token: SeIncBasePriorityPrivilege 1200 Sentry_MBA.exe Token: SeDebugPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe Token: 33 2904 Sentry.exe Token: SeIncBasePriorityPrivilege 2904 Sentry.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Sentry Mba.exeSentry_MBA.exepid process 1812 Sentry Mba.exe 1200 Sentry_MBA.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exeSentry Mba.exeServe.exeSentry.exedescription pid process target process PID 4284 wrote to memory of 1812 4284 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 4284 wrote to memory of 1812 4284 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 4284 wrote to memory of 1812 4284 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe Sentry Mba.exe PID 1812 wrote to memory of 1200 1812 Sentry Mba.exe Sentry_MBA.exe PID 1812 wrote to memory of 1200 1812 Sentry Mba.exe Sentry_MBA.exe PID 1812 wrote to memory of 1200 1812 Sentry Mba.exe Sentry_MBA.exe PID 1812 wrote to memory of 4260 1812 Sentry Mba.exe Serve.exe PID 1812 wrote to memory of 4260 1812 Sentry Mba.exe Serve.exe PID 1812 wrote to memory of 4260 1812 Sentry Mba.exe Serve.exe PID 4260 wrote to memory of 2904 4260 Serve.exe Sentry.exe PID 4260 wrote to memory of 2904 4260 Serve.exe Sentry.exe PID 4260 wrote to memory of 2904 4260 Serve.exe Sentry.exe PID 2904 wrote to memory of 4588 2904 Sentry.exe netsh.exe PID 2904 wrote to memory of 4588 2904 Sentry.exe netsh.exe PID 2904 wrote to memory of 4588 2904 Sentry.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe"C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe"C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeC:\Users\Admin\AppData\Local\Temp/Sentry_MBA.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Serve.exeC:\Users\Admin\AppData\Local\Temp/Serve.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sentry.exe"C:\Users\Admin\AppData\Local\Temp\Sentry.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Sentry.exe" "Sentry.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exeFilesize
4.0MB
MD51f2b981bfc803ac08b55f59528c3ce4e
SHA1df106e0905f71f801e56947142c52d85e83b06e5
SHA256208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a
SHA512e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81
-
C:\Users\Admin\AppData\Local\Temp\Sentry.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
C:\Users\Admin\AppData\Local\Temp\Sentry.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeFilesize
5.3MB
MD58c1d28b620a6c5e5a9978a871dcfd04f
SHA1274f59cf34efda4013a98147f2d3d8bcd198b467
SHA2569a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb
SHA5124718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f
-
C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exeFilesize
5.3MB
MD58c1d28b620a6c5e5a9978a871dcfd04f
SHA1274f59cf34efda4013a98147f2d3d8bcd198b467
SHA2569a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb
SHA5124718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f
-
C:\Users\Admin\AppData\Local\Temp\Serve.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
C:\Users\Admin\AppData\Local\Temp\Serve.exeFilesize
23KB
MD51f0e83e8c080cba527f0681efcc85d59
SHA1250a4f504db39447d76b3e86e8c29fdca51e5aaa
SHA25612519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2
SHA5123fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5
-
memory/1200-133-0x0000000000000000-mapping.dmp
-
memory/1812-130-0x0000000000000000-mapping.dmp
-
memory/2904-140-0x0000000000000000-mapping.dmp
-
memory/2904-144-0x0000000072F70000-0x0000000073521000-memory.dmpFilesize
5.7MB
-
memory/2904-145-0x0000000072F70000-0x0000000073521000-memory.dmpFilesize
5.7MB
-
memory/4260-136-0x0000000000000000-mapping.dmp
-
memory/4260-139-0x0000000072F70000-0x0000000073521000-memory.dmpFilesize
5.7MB
-
memory/4260-143-0x0000000072F70000-0x0000000073521000-memory.dmpFilesize
5.7MB
-
memory/4588-146-0x0000000000000000-mapping.dmp