Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-09-2022 19:44
Behavioral task
behavioral1
Sample
0x000a0000000122f5-56.exe
Resource
win7-20220812-en
General
-
Target
0x000a0000000122f5-56.exe
-
Size
23KB
-
MD5
ffa4d67e73388d5573b9e55a029800ab
-
SHA1
929760e8f38433556280bc348609273e1d2d25e1
-
SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
-
SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
SSDEEP
384:2sqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZNHhy:Bf65K2Yf1jKRpcnumo
Malware Config
Extracted
njrat
0.7d
HacKed
0.tcp.ngrok.io:17413
ed0dbeeaea86b7db8fabde04117ddf70
-
reg_key
ed0dbeeaea86b7db8fabde04117ddf70
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1000 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
0x000a0000000122f5-56.exepid process 768 0x000a0000000122f5-56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe Token: 33 1000 server.exe Token: SeIncBasePriorityPrivilege 1000 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0x000a0000000122f5-56.exeserver.exedescription pid process target process PID 768 wrote to memory of 1000 768 0x000a0000000122f5-56.exe server.exe PID 768 wrote to memory of 1000 768 0x000a0000000122f5-56.exe server.exe PID 768 wrote to memory of 1000 768 0x000a0000000122f5-56.exe server.exe PID 768 wrote to memory of 1000 768 0x000a0000000122f5-56.exe server.exe PID 1000 wrote to memory of 1988 1000 server.exe netsh.exe PID 1000 wrote to memory of 1988 1000 server.exe netsh.exe PID 1000 wrote to memory of 1988 1000 server.exe netsh.exe PID 1000 wrote to memory of 1988 1000 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5ffa4d67e73388d5573b9e55a029800ab
SHA1929760e8f38433556280bc348609273e1d2d25e1
SHA2565cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5ffa4d67e73388d5573b9e55a029800ab
SHA1929760e8f38433556280bc348609273e1d2d25e1
SHA2565cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5ffa4d67e73388d5573b9e55a029800ab
SHA1929760e8f38433556280bc348609273e1d2d25e1
SHA2565cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/768-55-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/768-61-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1000-57-0x0000000000000000-mapping.dmp
-
memory/1000-62-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1000-65-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1988-63-0x0000000000000000-mapping.dmp