Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 04:06
Behavioral task
behavioral1
Sample
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe
Resource
win10v2004-20220414-en
General
-
Target
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe
-
Size
23KB
-
MD5
92ff44ccf70cce0f51bdef5df8f6af6f
-
SHA1
cd8745d55b3319fa7f9d8f88341db3c1fd56888e
-
SHA256
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
-
SHA512
6aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
Malware Config
Extracted
njrat
0.7d
HacKed
78.140.249.179:1604
fa511642451a8067208694573cee9422
-
reg_key
fa511642451a8067208694573cee9422
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 756 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exepid process 1444 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa511642451a8067208694573cee9422 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fa511642451a8067208694573cee9422 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe Token: 33 756 server.exe Token: SeIncBasePriorityPrivilege 756 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exeserver.exedescription pid process target process PID 1444 wrote to memory of 756 1444 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 1444 wrote to memory of 756 1444 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 1444 wrote to memory of 756 1444 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 1444 wrote to memory of 756 1444 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 756 wrote to memory of 1764 756 server.exe netsh.exe PID 756 wrote to memory of 1764 756 server.exe netsh.exe PID 756 wrote to memory of 1764 756 server.exe netsh.exe PID 756 wrote to memory of 1764 756 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe"C:\Users\Admin\AppData\Local\Temp\b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD592ff44ccf70cce0f51bdef5df8f6af6f
SHA1cd8745d55b3319fa7f9d8f88341db3c1fd56888e
SHA256b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
SHA5126aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD592ff44ccf70cce0f51bdef5df8f6af6f
SHA1cd8745d55b3319fa7f9d8f88341db3c1fd56888e
SHA256b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
SHA5126aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD592ff44ccf70cce0f51bdef5df8f6af6f
SHA1cd8745d55b3319fa7f9d8f88341db3c1fd56888e
SHA256b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
SHA5126aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
-
memory/756-57-0x0000000000000000-mapping.dmp
-
memory/756-62-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB
-
memory/756-65-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB
-
memory/1444-54-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/1444-55-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB
-
memory/1444-61-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB
-
memory/1764-63-0x0000000000000000-mapping.dmp