Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-09-2022 15:03
Behavioral task
behavioral1
Sample
1764-56-0x0000000000990000-0x000000000099C000-memory.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1764-56-0x0000000000990000-0x000000000099C000-memory.exe
Resource
win10v2004-20220901-en
General
-
Target
1764-56-0x0000000000990000-0x000000000099C000-memory.exe
-
Size
48KB
-
MD5
eb0765258076879bf5581ad974af3b5c
-
SHA1
2b3ad034b50b63e64570ba9b02fe90d2c554157a
-
SHA256
10ad1414ecb12a8124e67e6a8708347186e34ac7382adc683015a8b5f7403df6
-
SHA512
1651f90c320c7d2c514a63b2b8780fbb0e0fd275c3e0502bee2c78bf3541586637e6a01a620acc20d36b782631965d10da9f3943551aa0dc00c0a45f861b8bd7
-
SSDEEP
384:z+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZhDty:Mm+71d5XRpcnuuc
Malware Config
Extracted
njrat
0.7d
HacKed
2.tcp.eu.ngrok.io:13002
2806cdb1ef67986308064d5873a67ad7
-
reg_key
2806cdb1ef67986308064d5873a67ad7
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 960 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
1764-56-0x0000000000990000-0x000000000099C000-memory.exepid process 1848 1764-56-0x0000000000990000-0x000000000099C000-memory.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\2806cdb1ef67986308064d5873a67ad7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2806cdb1ef67986308064d5873a67ad7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1764-56-0x0000000000990000-0x000000000099C000-memory.exeserver.exedescription pid process target process PID 1848 wrote to memory of 960 1848 1764-56-0x0000000000990000-0x000000000099C000-memory.exe server.exe PID 1848 wrote to memory of 960 1848 1764-56-0x0000000000990000-0x000000000099C000-memory.exe server.exe PID 1848 wrote to memory of 960 1848 1764-56-0x0000000000990000-0x000000000099C000-memory.exe server.exe PID 1848 wrote to memory of 960 1848 1764-56-0x0000000000990000-0x000000000099C000-memory.exe server.exe PID 960 wrote to memory of 1324 960 server.exe netsh.exe PID 960 wrote to memory of 1324 960 server.exe netsh.exe PID 960 wrote to memory of 1324 960 server.exe netsh.exe PID 960 wrote to memory of 1324 960 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1764-56-0x0000000000990000-0x000000000099C000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1764-56-0x0000000000990000-0x000000000099C000-memory.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD5eb0765258076879bf5581ad974af3b5c
SHA12b3ad034b50b63e64570ba9b02fe90d2c554157a
SHA25610ad1414ecb12a8124e67e6a8708347186e34ac7382adc683015a8b5f7403df6
SHA5121651f90c320c7d2c514a63b2b8780fbb0e0fd275c3e0502bee2c78bf3541586637e6a01a620acc20d36b782631965d10da9f3943551aa0dc00c0a45f861b8bd7
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD5eb0765258076879bf5581ad974af3b5c
SHA12b3ad034b50b63e64570ba9b02fe90d2c554157a
SHA25610ad1414ecb12a8124e67e6a8708347186e34ac7382adc683015a8b5f7403df6
SHA5121651f90c320c7d2c514a63b2b8780fbb0e0fd275c3e0502bee2c78bf3541586637e6a01a620acc20d36b782631965d10da9f3943551aa0dc00c0a45f861b8bd7
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD5eb0765258076879bf5581ad974af3b5c
SHA12b3ad034b50b63e64570ba9b02fe90d2c554157a
SHA25610ad1414ecb12a8124e67e6a8708347186e34ac7382adc683015a8b5f7403df6
SHA5121651f90c320c7d2c514a63b2b8780fbb0e0fd275c3e0502bee2c78bf3541586637e6a01a620acc20d36b782631965d10da9f3943551aa0dc00c0a45f861b8bd7
-
memory/960-57-0x0000000000000000-mapping.dmp
-
memory/960-62-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/960-65-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/1324-63-0x0000000000000000-mapping.dmp
-
memory/1848-54-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/1848-55-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/1848-61-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB