Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 07:00
Behavioral task
behavioral1
Sample
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe
Resource
win7-20220715-en
General
-
Target
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe
-
Size
93KB
-
MD5
3ba6a42a36a167bde629b4e8dcc8ff95
-
SHA1
b49aa395634d434a84a264d50037a17281e2a9f4
-
SHA256
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b
-
SHA512
59776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOTI3LjAuFRANSESCOC4x:MTYwNA==
6e03cdb684215a5d1cd8a13afcd46ec0
-
reg_key
6e03cdb684215a5d1cd8a13afcd46ec0
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 988 server.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1760 netsh.exe 1196 netsh.exe 1880 netsh.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e03cdb684215a5d1cd8a13afcd46ec0Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e03cdb684215a5d1cd8a13afcd46ec0Windows Update.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exepid process 1112 b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe 1112 b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe 988 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 988 server.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 988 server.exe Token: 33 988 server.exe Token: SeIncBasePriorityPrivilege 988 server.exe Token: 33 988 server.exe Token: SeIncBasePriorityPrivilege 988 server.exe Token: 33 988 server.exe Token: SeIncBasePriorityPrivilege 988 server.exe Token: 33 988 server.exe Token: SeIncBasePriorityPrivilege 988 server.exe Token: 33 988 server.exe Token: SeIncBasePriorityPrivilege 988 server.exe Token: 33 988 server.exe Token: SeIncBasePriorityPrivilege 988 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exeserver.exedescription pid process target process PID 1112 wrote to memory of 988 1112 b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe server.exe PID 1112 wrote to memory of 988 1112 b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe server.exe PID 1112 wrote to memory of 988 1112 b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe server.exe PID 1112 wrote to memory of 988 1112 b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe server.exe PID 988 wrote to memory of 1760 988 server.exe netsh.exe PID 988 wrote to memory of 1760 988 server.exe netsh.exe PID 988 wrote to memory of 1760 988 server.exe netsh.exe PID 988 wrote to memory of 1760 988 server.exe netsh.exe PID 988 wrote to memory of 1880 988 server.exe netsh.exe PID 988 wrote to memory of 1880 988 server.exe netsh.exe PID 988 wrote to memory of 1880 988 server.exe netsh.exe PID 988 wrote to memory of 1880 988 server.exe netsh.exe PID 988 wrote to memory of 1196 988 server.exe netsh.exe PID 988 wrote to memory of 1196 988 server.exe netsh.exe PID 988 wrote to memory of 1196 988 server.exe netsh.exe PID 988 wrote to memory of 1196 988 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe"C:\Users\Admin\AppData\Local\Temp\b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD53ba6a42a36a167bde629b4e8dcc8ff95
SHA1b49aa395634d434a84a264d50037a17281e2a9f4
SHA256b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b
SHA51259776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD53ba6a42a36a167bde629b4e8dcc8ff95
SHA1b49aa395634d434a84a264d50037a17281e2a9f4
SHA256b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b
SHA51259776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5850ad04adc35f6ec7809f0f70de8300c
SHA106387beffabdf4ea012664a1d2693862a5e5a181
SHA25659f6eeca3c022531b409b0dc1ea7c1d244ecc7af5b67a5600470b59cdbc04abe
SHA512fca8d80dcdc3a14a04e5ae665dfae9c7b915d4b52b6a24b271d4ad67d9c72c2485815dcb097721d952458857eda8c0edac23f997486a3a1936693b1a5bb35532
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD53ba6a42a36a167bde629b4e8dcc8ff95
SHA1b49aa395634d434a84a264d50037a17281e2a9f4
SHA256b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b
SHA51259776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD53ba6a42a36a167bde629b4e8dcc8ff95
SHA1b49aa395634d434a84a264d50037a17281e2a9f4
SHA256b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b
SHA51259776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503
-
memory/988-59-0x0000000000000000-mapping.dmp
-
memory/988-65-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/988-67-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/1112-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1112-56-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/1112-55-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/1112-64-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/1196-69-0x0000000000000000-mapping.dmp
-
memory/1760-66-0x0000000000000000-mapping.dmp
-
memory/1880-68-0x0000000000000000-mapping.dmp