Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 07:31
Behavioral task
behavioral1
Sample
dssddsdsdser.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
dssddsdsdser.exe
Resource
win10v2004-20220721-en
General
-
Target
dssddsdsdser.exe
-
Size
37KB
-
MD5
9949e4b8b759ca8bc677f46cf19cf541
-
SHA1
a74bc5fe4c4999a8e3c93e26f76403f601ad1116
-
SHA256
f4d0a71613ef44605049f708e224f93b96846174565eeaf3c857f18af58f5f6a
-
SHA512
85c7bbccd80a84a5c662774fe1ca14a5e1229eb51bec79696270108b222fafd99c6d596cca33985cf0c2e50f23c27940647ca2524c392fc9d8bbf783c5704c78
Malware Config
Extracted
njrat
im523
HacKed
susiahat24199a.ddns.net:5552
b94fe95343d85bb18dd50d099af4eb73
-
reg_key
b94fe95343d85bb18dd50d099af4eb73
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1880 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dssddsdsdser.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation dssddsdsdser.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b94fe95343d85bb18dd50d099af4eb73.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b94fe95343d85bb18dd50d099af4eb73.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b94fe95343d85bb18dd50d099af4eb73 = "\"C:\\Users\\Admin\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b94fe95343d85bb18dd50d099af4eb73 = "\"C:\\Users\\Admin\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created D:\autorun.inf server.exe File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3744 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe 1880 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1880 server.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
server.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1880 server.exe Token: SeDebugPrivilege 3744 taskkill.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe Token: 33 1880 server.exe Token: SeIncBasePriorityPrivilege 1880 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dssddsdsdser.exeserver.exedescription pid process target process PID 4412 wrote to memory of 1880 4412 dssddsdsdser.exe server.exe PID 4412 wrote to memory of 1880 4412 dssddsdsdser.exe server.exe PID 4412 wrote to memory of 1880 4412 dssddsdsdser.exe server.exe PID 1880 wrote to memory of 808 1880 server.exe netsh.exe PID 1880 wrote to memory of 808 1880 server.exe netsh.exe PID 1880 wrote to memory of 808 1880 server.exe netsh.exe PID 1880 wrote to memory of 3744 1880 server.exe taskkill.exe PID 1880 wrote to memory of 3744 1880 server.exe taskkill.exe PID 1880 wrote to memory of 3744 1880 server.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dssddsdsdser.exe"C:\Users\Admin\AppData\Local\Temp\dssddsdsdser.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\server.exe"C:\Users\Admin\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:808 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM System32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\server.exeFilesize
37KB
MD59949e4b8b759ca8bc677f46cf19cf541
SHA1a74bc5fe4c4999a8e3c93e26f76403f601ad1116
SHA256f4d0a71613ef44605049f708e224f93b96846174565eeaf3c857f18af58f5f6a
SHA51285c7bbccd80a84a5c662774fe1ca14a5e1229eb51bec79696270108b222fafd99c6d596cca33985cf0c2e50f23c27940647ca2524c392fc9d8bbf783c5704c78
-
C:\Users\Admin\server.exeFilesize
37KB
MD59949e4b8b759ca8bc677f46cf19cf541
SHA1a74bc5fe4c4999a8e3c93e26f76403f601ad1116
SHA256f4d0a71613ef44605049f708e224f93b96846174565eeaf3c857f18af58f5f6a
SHA51285c7bbccd80a84a5c662774fe1ca14a5e1229eb51bec79696270108b222fafd99c6d596cca33985cf0c2e50f23c27940647ca2524c392fc9d8bbf783c5704c78
-
memory/808-136-0x0000000000000000-mapping.dmp
-
memory/1880-131-0x0000000000000000-mapping.dmp
-
memory/1880-135-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/1880-138-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/3744-137-0x0000000000000000-mapping.dmp
-
memory/4412-130-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/4412-134-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB