Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17-09-2022 14:51
Behavioral task
behavioral1
Sample
419ece99dc9b500ee2575264c281b4e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
419ece99dc9b500ee2575264c281b4e7.exe
Resource
win10v2004-20220901-en
General
-
Target
419ece99dc9b500ee2575264c281b4e7.exe
-
Size
23KB
-
MD5
419ece99dc9b500ee2575264c281b4e7
-
SHA1
2883dfa794df393d497471cfb2f3e9d4ee76c78b
-
SHA256
df67b2bfef15688b2b3ea0987c3e7826068000704edab330b14d0f71856bab21
-
SHA512
b9714d20efbce321dd009da31ced829c240d82f8923ed5daf4b5b060df9319847e6312950831d6597c43a2addff6e12954f133abb0e1cd4d81b83c8120b8cf1a
-
SSDEEP
384:ksqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZ/PL:Lf65K2Yf1jKRpcnug
Malware Config
Extracted
njrat
0.7d
HacKed
shakeu123.duckdns.org:1666
5754ab9e1340992a5b2648d125137082
-
reg_key
5754ab9e1340992a5b2648d125137082
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1884 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5754ab9e1340992a5b2648d125137082.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5754ab9e1340992a5b2648d125137082.exe Server.exe -
Loads dropped DLL 1 IoCs
Processes:
419ece99dc9b500ee2575264c281b4e7.exepid process 1280 419ece99dc9b500ee2575264c281b4e7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5754ab9e1340992a5b2648d125137082 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5754ab9e1340992a5b2648d125137082 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe Token: 33 1884 Server.exe Token: SeIncBasePriorityPrivilege 1884 Server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
419ece99dc9b500ee2575264c281b4e7.exeServer.exedescription pid process target process PID 1280 wrote to memory of 1884 1280 419ece99dc9b500ee2575264c281b4e7.exe Server.exe PID 1280 wrote to memory of 1884 1280 419ece99dc9b500ee2575264c281b4e7.exe Server.exe PID 1280 wrote to memory of 1884 1280 419ece99dc9b500ee2575264c281b4e7.exe Server.exe PID 1280 wrote to memory of 1884 1280 419ece99dc9b500ee2575264c281b4e7.exe Server.exe PID 1884 wrote to memory of 1348 1884 Server.exe netsh.exe PID 1884 wrote to memory of 1348 1884 Server.exe netsh.exe PID 1884 wrote to memory of 1348 1884 Server.exe netsh.exe PID 1884 wrote to memory of 1348 1884 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\419ece99dc9b500ee2575264c281b4e7.exe"C:\Users\Admin\AppData\Local\Temp\419ece99dc9b500ee2575264c281b4e7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
23KB
MD5419ece99dc9b500ee2575264c281b4e7
SHA12883dfa794df393d497471cfb2f3e9d4ee76c78b
SHA256df67b2bfef15688b2b3ea0987c3e7826068000704edab330b14d0f71856bab21
SHA512b9714d20efbce321dd009da31ced829c240d82f8923ed5daf4b5b060df9319847e6312950831d6597c43a2addff6e12954f133abb0e1cd4d81b83c8120b8cf1a
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
23KB
MD5419ece99dc9b500ee2575264c281b4e7
SHA12883dfa794df393d497471cfb2f3e9d4ee76c78b
SHA256df67b2bfef15688b2b3ea0987c3e7826068000704edab330b14d0f71856bab21
SHA512b9714d20efbce321dd009da31ced829c240d82f8923ed5daf4b5b060df9319847e6312950831d6597c43a2addff6e12954f133abb0e1cd4d81b83c8120b8cf1a
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
23KB
MD5419ece99dc9b500ee2575264c281b4e7
SHA12883dfa794df393d497471cfb2f3e9d4ee76c78b
SHA256df67b2bfef15688b2b3ea0987c3e7826068000704edab330b14d0f71856bab21
SHA512b9714d20efbce321dd009da31ced829c240d82f8923ed5daf4b5b060df9319847e6312950831d6597c43a2addff6e12954f133abb0e1cd4d81b83c8120b8cf1a
-
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1280-55-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1280-61-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1348-63-0x0000000000000000-mapping.dmp
-
memory/1884-57-0x0000000000000000-mapping.dmp
-
memory/1884-62-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1884-65-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB