Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-08-2022 08:31
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
23KB
-
MD5
4cc52b12b15e02c96fed275defa813af
-
SHA1
a35a727745e25e1b71119968d3f090dfc4c07c18
-
SHA256
db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
-
SHA512
addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
SSDEEP
384:9oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZug:i7O89p2rRpcnu4
Malware Config
Extracted
njrat
0.7d
HacKed
20.7.14.99:5552
9636f5e673cfb8069e1ef3d1f8bc784b
-
reg_key
9636f5e673cfb8069e1ef3d1f8bc784b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 892 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9636f5e673cfb8069e1ef3d1f8bc784b.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9636f5e673cfb8069e1ef3d1f8bc784b.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
tmp.exepid process 1972 tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\9636f5e673cfb8069e1ef3d1f8bc784b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9636f5e673cfb8069e1ef3d1f8bc784b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe Token: 33 892 server.exe Token: SeIncBasePriorityPrivilege 892 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
tmp.exeserver.exedescription pid process target process PID 1972 wrote to memory of 892 1972 tmp.exe server.exe PID 1972 wrote to memory of 892 1972 tmp.exe server.exe PID 1972 wrote to memory of 892 1972 tmp.exe server.exe PID 1972 wrote to memory of 892 1972 tmp.exe server.exe PID 892 wrote to memory of 1512 892 server.exe netsh.exe PID 892 wrote to memory of 1512 892 server.exe netsh.exe PID 892 wrote to memory of 1512 892 server.exe netsh.exe PID 892 wrote to memory of 1512 892 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54cc52b12b15e02c96fed275defa813af
SHA1a35a727745e25e1b71119968d3f090dfc4c07c18
SHA256db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357
SHA512addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676
-
memory/892-57-0x0000000000000000-mapping.dmp
-
memory/892-62-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/892-65-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/1512-63-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1972-55-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/1972-61-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB