Analysis
-
max time kernel
149s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 21:19
Behavioral task
behavioral1
Sample
5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe
Resource
win10v2004-20220721-en
General
-
Target
5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe
-
Size
28KB
-
MD5
09d9d38a61ca864ddca8c576b9a3526f
-
SHA1
03df810dc2f1b2bfd240a6532cd36e0965fa8dc8
-
SHA256
5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5
-
SHA512
ab950d0ab1567f7dac126d275797c7be2ba3b017b5c2a2cf4361dc675bd62631f6e65c5e3a37ab1d01d24fbbf085777d46be2bfe447f5cf53ad7c9a7d87b7c5b
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1177
212683d986fb740ad6a40184df48e604
-
reg_key
212683d986fb740ad6a40184df48e604
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2000 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exepid process 1752 5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe Token: 33 2000 server.exe Token: SeIncBasePriorityPrivilege 2000 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exeserver.exedescription pid process target process PID 1752 wrote to memory of 2000 1752 5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe server.exe PID 1752 wrote to memory of 2000 1752 5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe server.exe PID 1752 wrote to memory of 2000 1752 5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe server.exe PID 1752 wrote to memory of 2000 1752 5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe server.exe PID 2000 wrote to memory of 1208 2000 server.exe netsh.exe PID 2000 wrote to memory of 1208 2000 server.exe netsh.exe PID 2000 wrote to memory of 1208 2000 server.exe netsh.exe PID 2000 wrote to memory of 1208 2000 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe"C:\Users\Admin\AppData\Local\Temp\5e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD509d9d38a61ca864ddca8c576b9a3526f
SHA103df810dc2f1b2bfd240a6532cd36e0965fa8dc8
SHA2565e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5
SHA512ab950d0ab1567f7dac126d275797c7be2ba3b017b5c2a2cf4361dc675bd62631f6e65c5e3a37ab1d01d24fbbf085777d46be2bfe447f5cf53ad7c9a7d87b7c5b
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD509d9d38a61ca864ddca8c576b9a3526f
SHA103df810dc2f1b2bfd240a6532cd36e0965fa8dc8
SHA2565e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5
SHA512ab950d0ab1567f7dac126d275797c7be2ba3b017b5c2a2cf4361dc675bd62631f6e65c5e3a37ab1d01d24fbbf085777d46be2bfe447f5cf53ad7c9a7d87b7c5b
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD509d9d38a61ca864ddca8c576b9a3526f
SHA103df810dc2f1b2bfd240a6532cd36e0965fa8dc8
SHA2565e220b16575e55b589df04d15e2806160345f4d588bc659be5f3090919dd4be5
SHA512ab950d0ab1567f7dac126d275797c7be2ba3b017b5c2a2cf4361dc675bd62631f6e65c5e3a37ab1d01d24fbbf085777d46be2bfe447f5cf53ad7c9a7d87b7c5b
-
memory/1208-63-0x0000000000000000-mapping.dmp
-
memory/1752-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1752-55-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/1752-61-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/2000-57-0x0000000000000000-mapping.dmp
-
memory/2000-62-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/2000-65-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB