Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 14:12
Static task
static1
Behavioral task
behavioral1
Sample
2944260deaa025272074f9a2ac84ffd7.exe
Resource
win7-20220812-en
General
-
Target
2944260deaa025272074f9a2ac84ffd7.exe
-
Size
347KB
-
MD5
2944260deaa025272074f9a2ac84ffd7
-
SHA1
18aa80fcd4efade56a68ce67a38f8e148d38e863
-
SHA256
76de9acdc679b628b2982e417d9b9d3329841439f9ccfb70e4e11e162ec1eb68
-
SHA512
84e15d0cef4d0a34fecb7238aa3e02c2ecd19e0e5beb1474d6c8cb74b40eaae3e097455b2e2a71a6ae02113192a67f52149231313a9e992a9c13c4da22366653
-
SSDEEP
6144:SiDdgU7fEMhpd2cBcr39lIKdK8RKzd+jAYLToFYAah+eCH5+Hn0Su34KB:1fEWpdPKrNlIKdK8RKwOXo+J4H0SQ
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3AuZXUubmdyb2suaW8Strik:MTU4OTA=
0ec537396f8c89c665c6c857f7fa4b8a
-
reg_key
0ec537396f8c89c665c6c857f7fa4b8a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exeserver.exepid process 856 Server.exe 1492 server.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 320 netsh.exe 1948 netsh.exe 1108 netsh.exe -
Loads dropped DLL 4 IoCs
Processes:
2944260deaa025272074f9a2ac84ffd7.exeServer.exepid process 976 2944260deaa025272074f9a2ac84ffd7.exe 976 2944260deaa025272074f9a2ac84ffd7.exe 856 Server.exe 856 Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1492 server.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe Token: 33 1492 server.exe Token: SeIncBasePriorityPrivilege 1492 server.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2944260deaa025272074f9a2ac84ffd7.exeServer.exeserver.exedescription pid process target process PID 976 wrote to memory of 856 976 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 976 wrote to memory of 856 976 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 976 wrote to memory of 856 976 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 976 wrote to memory of 856 976 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 856 wrote to memory of 1492 856 Server.exe server.exe PID 856 wrote to memory of 1492 856 Server.exe server.exe PID 856 wrote to memory of 1492 856 Server.exe server.exe PID 856 wrote to memory of 1492 856 Server.exe server.exe PID 1492 wrote to memory of 320 1492 server.exe netsh.exe PID 1492 wrote to memory of 320 1492 server.exe netsh.exe PID 1492 wrote to memory of 320 1492 server.exe netsh.exe PID 1492 wrote to memory of 320 1492 server.exe netsh.exe PID 1492 wrote to memory of 1948 1492 server.exe netsh.exe PID 1492 wrote to memory of 1948 1492 server.exe netsh.exe PID 1492 wrote to memory of 1948 1492 server.exe netsh.exe PID 1492 wrote to memory of 1948 1492 server.exe netsh.exe PID 1492 wrote to memory of 1108 1492 server.exe netsh.exe PID 1492 wrote to memory of 1108 1492 server.exe netsh.exe PID 1492 wrote to memory of 1108 1492 server.exe netsh.exe PID 1492 wrote to memory of 1108 1492 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe"C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5b66e20886f9675fe4dbf430ea2d0bf8d
SHA12e676da72201e6e4482e00b300511900c6aee5a0
SHA256899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
memory/320-73-0x0000000000000000-mapping.dmp
-
memory/856-63-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/856-70-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/856-58-0x0000000000000000-mapping.dmp
-
memory/976-54-0x0000000075791000-0x0000000075793000-memory.dmpFilesize
8KB
-
memory/976-62-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/976-55-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/1108-76-0x0000000000000000-mapping.dmp
-
memory/1492-71-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/1492-66-0x0000000000000000-mapping.dmp
-
memory/1492-79-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/1948-75-0x0000000000000000-mapping.dmp