Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 20:21
Static task
static1
Behavioral task
behavioral1
Sample
7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe
Resource
win10v2004-20220812-en
General
-
Target
7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe
-
Size
150KB
-
MD5
61a3e0eb6a7223a1efc176204a0b9590
-
SHA1
acbb10fe3b27146bbb6098cc6332f2d6f487c485
-
SHA256
7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e
-
SHA512
9b82a609625bd608d9aa226d12bbd0dffd04be1f392d67a6b87ebb3d76e445ee911ac8d35c702abf5a5610edb58878a4b4e4811969f0b0907bd4b29d1aca211e
-
SSDEEP
3072:JwLhY6pJZF4hz5UeR2djsZCgcxXJjX6wAfonA5B5zwEjoh8s:JMYcteR25RDjX6G20f
Malware Config
Extracted
njrat
0.7d
HacKed
hosny20.no-ip.info:5552
c1d096768422c2046b26ba3578e04398
-
reg_key
c1d096768422c2046b26ba3578e04398
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1156 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d096768422c2046b26ba3578e04398.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d096768422c2046b26ba3578e04398.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\c1d096768422c2046b26ba3578e04398 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c1d096768422c2046b26ba3578e04398 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe Token: 33 1156 server.exe Token: SeIncBasePriorityPrivilege 1156 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exeserver.exedescription pid process target process PID 1448 wrote to memory of 1156 1448 7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe server.exe PID 1448 wrote to memory of 1156 1448 7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe server.exe PID 1448 wrote to memory of 1156 1448 7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe server.exe PID 1156 wrote to memory of 1152 1156 server.exe netsh.exe PID 1156 wrote to memory of 1152 1156 server.exe netsh.exe PID 1156 wrote to memory of 1152 1156 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe"C:\Users\Admin\AppData\Local\Temp\7c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
150KB
MD561a3e0eb6a7223a1efc176204a0b9590
SHA1acbb10fe3b27146bbb6098cc6332f2d6f487c485
SHA2567c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e
SHA5129b82a609625bd608d9aa226d12bbd0dffd04be1f392d67a6b87ebb3d76e445ee911ac8d35c702abf5a5610edb58878a4b4e4811969f0b0907bd4b29d1aca211e
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
150KB
MD561a3e0eb6a7223a1efc176204a0b9590
SHA1acbb10fe3b27146bbb6098cc6332f2d6f487c485
SHA2567c33f0d59d53070824a3ce5839e6c64271599de87270139bbeab275b8f753f0e
SHA5129b82a609625bd608d9aa226d12bbd0dffd04be1f392d67a6b87ebb3d76e445ee911ac8d35c702abf5a5610edb58878a4b4e4811969f0b0907bd4b29d1aca211e
-
memory/1152-64-0x0000000000000000-mapping.dmp
-
memory/1156-60-0x0000000000000000-mapping.dmp
-
memory/1156-63-0x0000000000F80000-0x0000000000FAA000-memory.dmpFilesize
168KB
-
memory/1448-54-0x0000000000200000-0x000000000022A000-memory.dmpFilesize
168KB
-
memory/1448-55-0x0000000000410000-0x0000000000420000-memory.dmpFilesize
64KB
-
memory/1448-56-0x0000000000430000-0x0000000000444000-memory.dmpFilesize
80KB
-
memory/1448-57-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/1448-58-0x0000000000450000-0x000000000045E000-memory.dmpFilesize
56KB
-
memory/1448-59-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB