Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 00:48
Behavioral task
behavioral1
Sample
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe
Resource
win10v2004-20220812-en
General
-
Target
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe
-
Size
194KB
-
MD5
67ca864acaba6a7e02502538cc497760
-
SHA1
3cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
-
SHA256
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
-
SHA512
2b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
SSDEEP
1536:jfIshKRWuWIzbouo8I0JyT3zYX9j1oJYVyyT:jIs808ouoh0YTDy9j1o
Malware Config
Extracted
njrat
0.7d
HacKed
chromehost.ddns.net:200
c96ffc7155e33bdb2e471b2aad6e0049
-
reg_key
c96ffc7155e33bdb2e471b2aad6e0049
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1400 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c96ffc7155e33bdb2e471b2aad6e0049.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c96ffc7155e33bdb2e471b2aad6e0049.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exepid process 1504 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c96ffc7155e33bdb2e471b2aad6e0049 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\c96ffc7155e33bdb2e471b2aad6e0049 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe Token: 33 1400 server.exe Token: SeIncBasePriorityPrivilege 1400 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exeserver.exedescription pid process target process PID 1504 wrote to memory of 1400 1504 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 1504 wrote to memory of 1400 1504 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 1504 wrote to memory of 1400 1504 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 1504 wrote to memory of 1400 1504 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 1400 wrote to memory of 2040 1400 server.exe netsh.exe PID 1400 wrote to memory of 2040 1400 server.exe netsh.exe PID 1400 wrote to memory of 2040 1400 server.exe netsh.exe PID 1400 wrote to memory of 2040 1400 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe"C:\Users\Admin\AppData\Local\Temp\b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
194KB
MD567ca864acaba6a7e02502538cc497760
SHA13cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
SHA256b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
SHA5122b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
194KB
MD567ca864acaba6a7e02502538cc497760
SHA13cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
SHA256b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
SHA5122b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
\Users\Admin\AppData\Roaming\server.exeFilesize
194KB
MD567ca864acaba6a7e02502538cc497760
SHA13cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
SHA256b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
SHA5122b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
memory/1400-57-0x0000000000000000-mapping.dmp
-
memory/1400-61-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1400-64-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1504-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1504-55-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1504-62-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2040-63-0x0000000000000000-mapping.dmp