Analysis
-
max time kernel
253s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe
Resource
win10v2004-20220414-en
General
-
Target
3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe
-
Size
23KB
-
MD5
55bc0ba7e8f548de834a7090d6d08ab4
-
SHA1
93b660785a6e89f98d2ef8f4145e916410e7475f
-
SHA256
3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b
-
SHA512
d569cd8d541639b53fd0ce0724e94bcb137859470a83bcad6dbf142f2d5bd23d741ebdece09bb2c4cf7516c94a2e8c1934bd3bef37b9efb68efbf9eed00932bf
Malware Config
Extracted
njrat
0.7d
Thank you for installing!
127.0.0.1:1528
769d5da68f5544d1b5dd487359601c51
-
reg_key
769d5da68f5544d1b5dd487359601c51
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2044 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\769d5da68f5544d1b5dd487359601c51.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\769d5da68f5544d1b5dd487359601c51.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exepid process 940 3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\769d5da68f5544d1b5dd487359601c51 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\769d5da68f5544d1b5dd487359601c51 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exeserver.exedescription pid process target process PID 940 wrote to memory of 2044 940 3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe server.exe PID 940 wrote to memory of 2044 940 3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe server.exe PID 940 wrote to memory of 2044 940 3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe server.exe PID 940 wrote to memory of 2044 940 3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe server.exe PID 2044 wrote to memory of 1820 2044 server.exe netsh.exe PID 2044 wrote to memory of 1820 2044 server.exe netsh.exe PID 2044 wrote to memory of 1820 2044 server.exe netsh.exe PID 2044 wrote to memory of 1820 2044 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe"C:\Users\Admin\AppData\Local\Temp\3634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD555bc0ba7e8f548de834a7090d6d08ab4
SHA193b660785a6e89f98d2ef8f4145e916410e7475f
SHA2563634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b
SHA512d569cd8d541639b53fd0ce0724e94bcb137859470a83bcad6dbf142f2d5bd23d741ebdece09bb2c4cf7516c94a2e8c1934bd3bef37b9efb68efbf9eed00932bf
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD555bc0ba7e8f548de834a7090d6d08ab4
SHA193b660785a6e89f98d2ef8f4145e916410e7475f
SHA2563634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b
SHA512d569cd8d541639b53fd0ce0724e94bcb137859470a83bcad6dbf142f2d5bd23d741ebdece09bb2c4cf7516c94a2e8c1934bd3bef37b9efb68efbf9eed00932bf
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD555bc0ba7e8f548de834a7090d6d08ab4
SHA193b660785a6e89f98d2ef8f4145e916410e7475f
SHA2563634048707083bfcd9ab1f27f0bf0420b261eaaa40ecc9c86ef3758262614b7b
SHA512d569cd8d541639b53fd0ce0724e94bcb137859470a83bcad6dbf142f2d5bd23d741ebdece09bb2c4cf7516c94a2e8c1934bd3bef37b9efb68efbf9eed00932bf
-
memory/940-54-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/940-55-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/940-61-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1820-63-0x0000000000000000-mapping.dmp
-
memory/2044-57-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/2044-65-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB