Analysis
-
max time kernel
153s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 15:25
Behavioral task
behavioral1
Sample
7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe
Resource
win10v2004-20220812-en
General
-
Target
7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe
-
Size
23KB
-
MD5
65a4f6bad50e6e1961c2bb48a1d80710
-
SHA1
3099ec5f609a71ca0299a90d40da9cac7436d922
-
SHA256
7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c
-
SHA512
ce7b7240b100b9c5b281a8bb6851b52e78877351b148f3138e095858b3d641f71c3b60deb7fa384d96131fc95a523d329d001d79abdd69380f3f51910c84927e
-
SSDEEP
384:DQeCo2zmZbQHkJeCdUwrvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZMt:U5yBVd5Rpcnuv
Malware Config
Extracted
njrat
0.7d
HacKed
aboodydody.no-ip.biz:1177
2a05e2d1c9f43ec415f6709789b4a9b2
-
reg_key
2a05e2d1c9f43ec415f6709789b4a9b2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1456 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exepid process 1932 7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\2a05e2d1c9f43ec415f6709789b4a9b2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2a05e2d1c9f43ec415f6709789b4a9b2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe Token: 33 1456 server.exe Token: SeIncBasePriorityPrivilege 1456 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exeserver.exedescription pid process target process PID 1932 wrote to memory of 1456 1932 7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe server.exe PID 1932 wrote to memory of 1456 1932 7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe server.exe PID 1932 wrote to memory of 1456 1932 7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe server.exe PID 1932 wrote to memory of 1456 1932 7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe server.exe PID 1456 wrote to memory of 1064 1456 server.exe netsh.exe PID 1456 wrote to memory of 1064 1456 server.exe netsh.exe PID 1456 wrote to memory of 1064 1456 server.exe netsh.exe PID 1456 wrote to memory of 1064 1456 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe"C:\Users\Admin\AppData\Local\Temp\7a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD565a4f6bad50e6e1961c2bb48a1d80710
SHA13099ec5f609a71ca0299a90d40da9cac7436d922
SHA2567a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c
SHA512ce7b7240b100b9c5b281a8bb6851b52e78877351b148f3138e095858b3d641f71c3b60deb7fa384d96131fc95a523d329d001d79abdd69380f3f51910c84927e
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD565a4f6bad50e6e1961c2bb48a1d80710
SHA13099ec5f609a71ca0299a90d40da9cac7436d922
SHA2567a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c
SHA512ce7b7240b100b9c5b281a8bb6851b52e78877351b148f3138e095858b3d641f71c3b60deb7fa384d96131fc95a523d329d001d79abdd69380f3f51910c84927e
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD565a4f6bad50e6e1961c2bb48a1d80710
SHA13099ec5f609a71ca0299a90d40da9cac7436d922
SHA2567a6e47ba86c26f2a90690a6cf5f5b9ff26f05133e508b5c0965aa2376113732c
SHA512ce7b7240b100b9c5b281a8bb6851b52e78877351b148f3138e095858b3d641f71c3b60deb7fa384d96131fc95a523d329d001d79abdd69380f3f51910c84927e
-
memory/1064-63-0x0000000000000000-mapping.dmp
-
memory/1456-57-0x0000000000000000-mapping.dmp
-
memory/1456-62-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1456-65-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1932-54-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1932-55-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1932-61-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB