Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 21:28
Behavioral task
behavioral1
Sample
DangerousPayload.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
DangerousPayload.exe
Resource
win10v2004-20220721-en
General
-
Target
DangerousPayload.exe
-
Size
37KB
-
MD5
9bbb2f1dc80afe6ecf27b31794a02d32
-
SHA1
bac66f84175fe186c478a340c2f31fde5f57d980
-
SHA256
7aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
-
SHA512
341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
Malware Config
Extracted
njrat
im523
HacKed
susiahat24199a.ddns.net:5552
b94fe95343d85bb18dd50d099af4eb73
-
reg_key
b94fe95343d85bb18dd50d099af4eb73
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2044 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b94fe95343d85bb18dd50d099af4eb73.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b94fe95343d85bb18dd50d099af4eb73.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
DangerousPayload.exepid process 2004 DangerousPayload.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\b94fe95343d85bb18dd50d099af4eb73 = "\"C:\\Users\\Admin\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b94fe95343d85bb18dd50d099af4eb73 = "\"C:\\Users\\Admin\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created D:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1412 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe 2044 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2044 server.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
server.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2044 server.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe Token: 33 2044 server.exe Token: SeIncBasePriorityPrivilege 2044 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DangerousPayload.exeserver.exedescription pid process target process PID 2004 wrote to memory of 2044 2004 DangerousPayload.exe server.exe PID 2004 wrote to memory of 2044 2004 DangerousPayload.exe server.exe PID 2004 wrote to memory of 2044 2004 DangerousPayload.exe server.exe PID 2004 wrote to memory of 2044 2004 DangerousPayload.exe server.exe PID 2044 wrote to memory of 1648 2044 server.exe netsh.exe PID 2044 wrote to memory of 1648 2044 server.exe netsh.exe PID 2044 wrote to memory of 1648 2044 server.exe netsh.exe PID 2044 wrote to memory of 1648 2044 server.exe netsh.exe PID 2044 wrote to memory of 1412 2044 server.exe taskkill.exe PID 2044 wrote to memory of 1412 2044 server.exe taskkill.exe PID 2044 wrote to memory of 1412 2044 server.exe taskkill.exe PID 2044 wrote to memory of 1412 2044 server.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DangerousPayload.exe"C:\Users\Admin\AppData\Local\Temp\DangerousPayload.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\server.exe"C:\Users\Admin\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1648 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM System32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\server.exeFilesize
37KB
MD59bbb2f1dc80afe6ecf27b31794a02d32
SHA1bac66f84175fe186c478a340c2f31fde5f57d980
SHA2567aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
SHA512341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
-
C:\Users\Admin\server.exeFilesize
37KB
MD59bbb2f1dc80afe6ecf27b31794a02d32
SHA1bac66f84175fe186c478a340c2f31fde5f57d980
SHA2567aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
SHA512341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
-
\Users\Admin\server.exeFilesize
37KB
MD59bbb2f1dc80afe6ecf27b31794a02d32
SHA1bac66f84175fe186c478a340c2f31fde5f57d980
SHA2567aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
SHA512341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
-
memory/1412-64-0x0000000000000000-mapping.dmp
-
memory/1648-63-0x0000000000000000-mapping.dmp
-
memory/2004-54-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/2004-55-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/2004-61-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/2044-57-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/2044-66-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB