Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:56
Static task
static1
Behavioral task
behavioral1
Sample
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe
Resource
win10v2004-20220812-en
General
-
Target
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe
-
Size
41KB
-
MD5
6174b0640d9954f49f4e1752575073d0
-
SHA1
9d906ca323f0ceed91c348ee1e815faaa15f3d81
-
SHA256
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60
-
SHA512
8d6821e6453ea2c9fc028b637782e385b78c0b3af99c37aa2f13c6eb6a1bffc160d75ff5b3f6dd7a4a308f045af46e07ce749301dc6efcf9ddb7df01f99158b7
-
SSDEEP
768:jXxdX64kYewwUtH1IVOYgLdBLXTijktmbGBHEqNCzhoLN8ax:/4YCeIVOYg7Kg0iBHEq4iyU
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 860 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe Token: 33 860 server.exe Token: SeIncBasePriorityPrivilege 860 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exeserver.exedescription pid process target process PID 1048 wrote to memory of 860 1048 2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe server.exe PID 1048 wrote to memory of 860 1048 2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe server.exe PID 1048 wrote to memory of 860 1048 2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe server.exe PID 860 wrote to memory of 1464 860 server.exe netsh.exe PID 860 wrote to memory of 1464 860 server.exe netsh.exe PID 860 wrote to memory of 1464 860 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe"C:\Users\Admin\AppData\Local\Temp\2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
41KB
MD56174b0640d9954f49f4e1752575073d0
SHA19d906ca323f0ceed91c348ee1e815faaa15f3d81
SHA2562ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60
SHA5128d6821e6453ea2c9fc028b637782e385b78c0b3af99c37aa2f13c6eb6a1bffc160d75ff5b3f6dd7a4a308f045af46e07ce749301dc6efcf9ddb7df01f99158b7
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
41KB
MD56174b0640d9954f49f4e1752575073d0
SHA19d906ca323f0ceed91c348ee1e815faaa15f3d81
SHA2562ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60
SHA5128d6821e6453ea2c9fc028b637782e385b78c0b3af99c37aa2f13c6eb6a1bffc160d75ff5b3f6dd7a4a308f045af46e07ce749301dc6efcf9ddb7df01f99158b7
-
memory/860-65-0x0000000000000000-mapping.dmp
-
memory/860-68-0x00000000011F0000-0x0000000001200000-memory.dmpFilesize
64KB
-
memory/1048-58-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1048-59-0x0000000000410000-0x000000000041C000-memory.dmpFilesize
48KB
-
memory/1048-60-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/1048-61-0x0000000000430000-0x000000000043C000-memory.dmpFilesize
48KB
-
memory/1048-62-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/1048-63-0x0000000000460000-0x000000000046C000-memory.dmpFilesize
48KB
-
memory/1048-64-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/1048-54-0x0000000001040000-0x0000000001050000-memory.dmpFilesize
64KB
-
memory/1048-57-0x00000000003F0000-0x00000000003FE000-memory.dmpFilesize
56KB
-
memory/1048-56-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/1048-55-0x0000000000250000-0x0000000000260000-memory.dmpFilesize
64KB
-
memory/1464-69-0x0000000000000000-mapping.dmp