Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:02
Behavioral task
behavioral1
Sample
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
Resource
win10v2004-20220812-en
General
-
Target
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
-
Size
40KB
-
MD5
6a7b34aabcd7482e0c6acb99fd249d20
-
SHA1
25a6b8074e1323cff36d522c62d1121e7ebfc749
-
SHA256
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa
-
SHA512
482c4a801e35c236161cae4b5b2042e9f58cd5a7e2f61a9e21e030a73bb1ca3f4584869924f2da210b1b050b8d18876b0914c9f403ee86ad36b86be46f7ec4ae
-
SSDEEP
384:xoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZSNl5:m7O89p2rRpcnuBl5
Malware Config
Extracted
njrat
0.7d
HacKed
momodz.no-ip.biz:1177
de24e18567ad7e555a79ab8b2c977563
-
reg_key
de24e18567ad7e555a79ab8b2c977563
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalWlKRdrugdz.exeserver.exepid process 1900 LocalWlKRdrugdz.exe 1676 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de24e18567ad7e555a79ab8b2c977563.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de24e18567ad7e555a79ab8b2c977563.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
LocalWlKRdrugdz.exepid process 1900 LocalWlKRdrugdz.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\de24e18567ad7e555a79ab8b2c977563 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\de24e18567ad7e555a79ab8b2c977563 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exeLocalWlKRdrugdz.exeserver.exedescription pid process target process PID 948 wrote to memory of 1900 948 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 948 wrote to memory of 1900 948 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 948 wrote to memory of 1900 948 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 948 wrote to memory of 1900 948 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 1900 wrote to memory of 1676 1900 LocalWlKRdrugdz.exe server.exe PID 1900 wrote to memory of 1676 1900 LocalWlKRdrugdz.exe server.exe PID 1900 wrote to memory of 1676 1900 LocalWlKRdrugdz.exe server.exe PID 1900 wrote to memory of 1676 1900 LocalWlKRdrugdz.exe server.exe PID 1676 wrote to memory of 1276 1676 server.exe netsh.exe PID 1676 wrote to memory of 1276 1676 server.exe netsh.exe PID 1676 wrote to memory of 1276 1676 server.exe netsh.exe PID 1676 wrote to memory of 1276 1676 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe"C:\Users\Admin\AppData\Local\Temp\f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalWlKRdrugdz.exe"C:\Users\Admin\AppData\LocalWlKRdrugdz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalWlKRdrugdz.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
C:\Users\Admin\AppData\LocalWlKRdrugdz.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
memory/948-60-0x0000000000B40000-0x0000000000B50000-memory.dmpFilesize
64KB
-
memory/948-54-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmpFilesize
10.1MB
-
memory/948-55-0x000007FEFC591000-0x000007FEFC593000-memory.dmpFilesize
8KB
-
memory/1276-69-0x0000000000000000-mapping.dmp
-
memory/1676-63-0x0000000000000000-mapping.dmp
-
memory/1676-68-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/1676-71-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/1900-59-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1900-61-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB
-
memory/1900-56-0x0000000000000000-mapping.dmp
-
memory/1900-67-0x0000000074DB0000-0x000000007535B000-memory.dmpFilesize
5.7MB