Resubmissions
08-09-2022 17:44
220908-wblklafbe7 307-09-2022 00:27
220907-arqnlaafh7 105-09-2022 16:52
220905-vdthjsehd3 305-09-2022 16:42
220905-t7p7jsegc2 705-09-2022 16:37
220905-t49f1sefh3 331-08-2022 06:37
220831-hdwlpabhc7 131-08-2022 06:32
220831-haw32sabhk 1031-08-2022 05:40
220831-gcy5rahffl 10Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-08-2022 06:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://20.7.14.99/server/
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
http://20.7.14.99/server/
Resource
win10v2004-20220812-en
General
-
Target
http://20.7.14.99/server/
Malware Config
Extracted
njrat
0.7d
HacKed
20.7.14.99:5552
9636f5e673cfb8069e1ef3d1f8bc784b
-
reg_key
9636f5e673cfb8069e1ef3d1f8bc784b
-
splitter
|'|'|
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Server.exeserver.exepid process 1940 Server.exe 1744 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9636f5e673cfb8069e1ef3d1f8bc784b.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9636f5e673cfb8069e1ef3d1f8bc784b.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
Server.exepid process 1940 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9636f5e673cfb8069e1ef3d1f8bc784b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\9636f5e673cfb8069e1ef3d1f8bc784b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b05e195414bdd801 iexplore.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "368699742" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DA022F1-2907-11ED-B25A-FE72C9E2D9C9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000008290e667716bf4be8732c1d1d1b0a802fee6cc170389f507d66bc311b4c2b7d8000000000e800000000200002000000021a47216160efd424ca1a1c2f0b6cd3b743012677cbbe15bc878cacc8ef1c18220000000aec039914fc2e85107306d50b5f25e4c06e0aec47e85f82eea29f234b18a8ddb400000006784d7b0296eaed961ce0f7f5945855e1810645ddb3dc089f73880a5c379959a76f554bb89650daa1ff84aa4427103a3c39f379d5347f3e3598f734e1ee5e4cb iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000000ee33d85869704db3365efd4ac0d65b9826e189d0db6812594fcb4dc918f709b000000000e80000000020000200000003e1e783b4ae4dcc8012268e64e89140443a4f660ebf63b7f63990fec5b67f08a90000000cd077ac5edb672ab95c6c2590abe70a281a786b258e3497f5fb101ec6b4c563db8b98801855cd18cf23a7b1f9bf9fdb1857ecb421eebe1c1fc11fa3db378692132c466a0cd623aad20a18635a5dd349c97f558dead79196bc8d6e075e3deba9bb8d4c8131f733f5eb2c39b74ae8f159fb1f785a465798573a80b13f054d3e395ab86a3d3e5512b29df80e859715ec402400000002fb2b16c2223fcfecfac01db0a1ace91d2b969ab8f137d41b96789d350d5960586a6215bdd4d3f0ead602b7f9576ce3bdd38519a183604a52271ff4f5ce232ef iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4062be5714bdd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1744 server.exe Token: 33 1744 server.exe Token: SeIncBasePriorityPrivilege 1744 server.exe Token: 33 1744 server.exe Token: SeIncBasePriorityPrivilege 1744 server.exe Token: 33 1744 server.exe Token: SeIncBasePriorityPrivilege 1744 server.exe Token: 33 1744 server.exe Token: SeIncBasePriorityPrivilege 1744 server.exe Token: 33 1744 server.exe Token: SeIncBasePriorityPrivilege 1744 server.exe Token: 33 1744 server.exe Token: SeIncBasePriorityPrivilege 1744 server.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1668 iexplore.exe 1668 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1668 iexplore.exe 1668 iexplore.exe 1224 IEXPLORE.EXE 1224 IEXPLORE.EXE 1224 IEXPLORE.EXE 1224 IEXPLORE.EXE 1224 IEXPLORE.EXE 1224 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
iexplore.exeServer.exeserver.exedescription pid process target process PID 1668 wrote to memory of 1224 1668 iexplore.exe IEXPLORE.EXE PID 1668 wrote to memory of 1224 1668 iexplore.exe IEXPLORE.EXE PID 1668 wrote to memory of 1224 1668 iexplore.exe IEXPLORE.EXE PID 1668 wrote to memory of 1224 1668 iexplore.exe IEXPLORE.EXE PID 1668 wrote to memory of 1940 1668 iexplore.exe Server.exe PID 1668 wrote to memory of 1940 1668 iexplore.exe Server.exe PID 1668 wrote to memory of 1940 1668 iexplore.exe Server.exe PID 1668 wrote to memory of 1940 1668 iexplore.exe Server.exe PID 1940 wrote to memory of 1744 1940 Server.exe server.exe PID 1940 wrote to memory of 1744 1940 Server.exe server.exe PID 1940 wrote to memory of 1744 1940 Server.exe server.exe PID 1940 wrote to memory of 1744 1940 Server.exe server.exe PID 1744 wrote to memory of 1736 1744 server.exe netsh.exe PID 1744 wrote to memory of 1736 1744 server.exe netsh.exe PID 1744 wrote to memory of 1736 1744 server.exe netsh.exe PID 1744 wrote to memory of 1736 1744 server.exe netsh.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://20.7.14.99/server/1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Server.exe"C:\Users\Admin\Downloads\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.datFilesize
34KB
MD5e59d05e3ab436d138aa477af9fcac136
SHA1ac2c829b6954e7b74c7cb6e9774592a7a5ff3070
SHA256775e989ea0fd2ad0881f1bae7ea17a8fc88069775eb7e7d00ca1c356c41aec77
SHA512ac3ea11d7b08916638084a23b7a564b6934f4c87cce5eddcbaa425adea25798aaebdb4dc262bef1632296312f693a54067e0fd294f469edd57e1b5265173798d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PPOS0VTN.txtFilesize
608B
MD5d6e4cae8d2e78d449fda6012964eb774
SHA1ddfb5964841e5a2a50ec91f2e0babdc69de8c425
SHA2568c3461ac3a1cfe7ca67cc16d42bc05946a577b18414748081ee1a5bb22dd7c7d
SHA51211b4ebe28519fc92556f087516097b4494f5c16d280b5c80d9617b703e6fe1ba04cad17a6ebb319a31c5d2f18c48c28468b0c8d1befcabc0f7e2a13c8a80b474
-
C:\Users\Admin\Downloads\Server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
C:\Users\Admin\Downloads\Server.exe.y0ibym7.partialFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
memory/1736-67-0x0000000000000000-mapping.dmp
-
memory/1744-61-0x0000000000000000-mapping.dmp
-
memory/1744-66-0x0000000070CC0000-0x000000007126B000-memory.dmpFilesize
5.7MB
-
memory/1744-70-0x0000000070CC0000-0x000000007126B000-memory.dmpFilesize
5.7MB
-
memory/1940-59-0x0000000070CC0000-0x000000007126B000-memory.dmpFilesize
5.7MB
-
memory/1940-58-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1940-65-0x0000000070CC0000-0x000000007126B000-memory.dmpFilesize
5.7MB
-
memory/1940-56-0x0000000000000000-mapping.dmp