Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:55
Behavioral task
behavioral1
Sample
2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe
Resource
win10v2004-20220812-en
General
-
Target
2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe
-
Size
23KB
-
MD5
575adc1e4c148afe397d3695759ce440
-
SHA1
0b41160e2743facbdd73dbaafaee41a2785fa798
-
SHA256
2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164
-
SHA512
69203ebab522c44c4bac83a8a1a01c3054000729fd2d925a7f6d54c7f3fd002623739acbda0a722d18a10011f102c19a44f193a73f3b68e269243a89012d29a0
-
SSDEEP
384:XoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZMj:w7O89p2rRpcnup
Malware Config
Extracted
njrat
0.7d
hacked
momodz.no-ip.biz:1177
a1fe58e271392148d9447041084cdb09
-
reg_key
a1fe58e271392148d9447041084cdb09
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 960 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1fe58e271392148d9447041084cdb09.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1fe58e271392148d9447041084cdb09.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exepid process 1412 2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1fe58e271392148d9447041084cdb09 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a1fe58e271392148d9447041084cdb09 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe Token: 33 960 server.exe Token: SeIncBasePriorityPrivilege 960 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exeserver.exedescription pid process target process PID 1412 wrote to memory of 960 1412 2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe server.exe PID 1412 wrote to memory of 960 1412 2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe server.exe PID 1412 wrote to memory of 960 1412 2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe server.exe PID 1412 wrote to memory of 960 1412 2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe server.exe PID 960 wrote to memory of 840 960 server.exe netsh.exe PID 960 wrote to memory of 840 960 server.exe netsh.exe PID 960 wrote to memory of 840 960 server.exe netsh.exe PID 960 wrote to memory of 840 960 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe"C:\Users\Admin\AppData\Local\Temp\2ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5575adc1e4c148afe397d3695759ce440
SHA10b41160e2743facbdd73dbaafaee41a2785fa798
SHA2562ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164
SHA51269203ebab522c44c4bac83a8a1a01c3054000729fd2d925a7f6d54c7f3fd002623739acbda0a722d18a10011f102c19a44f193a73f3b68e269243a89012d29a0
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5575adc1e4c148afe397d3695759ce440
SHA10b41160e2743facbdd73dbaafaee41a2785fa798
SHA2562ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164
SHA51269203ebab522c44c4bac83a8a1a01c3054000729fd2d925a7f6d54c7f3fd002623739acbda0a722d18a10011f102c19a44f193a73f3b68e269243a89012d29a0
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5575adc1e4c148afe397d3695759ce440
SHA10b41160e2743facbdd73dbaafaee41a2785fa798
SHA2562ead13296e90b2e3683fd3a219857a61c20edc17e7714392a94ba4a13a042164
SHA51269203ebab522c44c4bac83a8a1a01c3054000729fd2d925a7f6d54c7f3fd002623739acbda0a722d18a10011f102c19a44f193a73f3b68e269243a89012d29a0
-
memory/840-63-0x0000000000000000-mapping.dmp
-
memory/960-57-0x0000000000000000-mapping.dmp
-
memory/960-62-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/960-65-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/1412-54-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/1412-55-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/1412-61-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB