Analysis
-
max time kernel
149s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 01:22
Behavioral task
behavioral1
Sample
c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe
Resource
win10v2004-20220812-en
General
-
Target
c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe
-
Size
23KB
-
MD5
6b59f7a30dc5525804d541add4dbbae0
-
SHA1
955f87e370ac487f617d7e8df7cd7a44bd11a80f
-
SHA256
c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872
-
SHA512
7aa2e2feeff4f8dab2fc3e82e84214d86257da591071013fdd3faf502f420c290c404e97756270a6f5dc996ea92ed984afcb21862d1e0bcfa78b264142c0dcd1
-
SSDEEP
384:F8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZ17/:WXcwt3tRpcnuqD
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5562
40d41935c162474c077082fd99af2520
-
reg_key
40d41935c162474c077082fd99af2520
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 840 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exepid process 1740 c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\40d41935c162474c077082fd99af2520 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\40d41935c162474c077082fd99af2520 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe Token: 33 840 server.exe Token: SeIncBasePriorityPrivilege 840 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exeserver.exedescription pid process target process PID 1740 wrote to memory of 840 1740 c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe server.exe PID 1740 wrote to memory of 840 1740 c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe server.exe PID 1740 wrote to memory of 840 1740 c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe server.exe PID 1740 wrote to memory of 840 1740 c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe server.exe PID 840 wrote to memory of 676 840 server.exe netsh.exe PID 840 wrote to memory of 676 840 server.exe netsh.exe PID 840 wrote to memory of 676 840 server.exe netsh.exe PID 840 wrote to memory of 676 840 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe"C:\Users\Admin\AppData\Local\Temp\c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD56b59f7a30dc5525804d541add4dbbae0
SHA1955f87e370ac487f617d7e8df7cd7a44bd11a80f
SHA256c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872
SHA5127aa2e2feeff4f8dab2fc3e82e84214d86257da591071013fdd3faf502f420c290c404e97756270a6f5dc996ea92ed984afcb21862d1e0bcfa78b264142c0dcd1
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD56b59f7a30dc5525804d541add4dbbae0
SHA1955f87e370ac487f617d7e8df7cd7a44bd11a80f
SHA256c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872
SHA5127aa2e2feeff4f8dab2fc3e82e84214d86257da591071013fdd3faf502f420c290c404e97756270a6f5dc996ea92ed984afcb21862d1e0bcfa78b264142c0dcd1
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD56b59f7a30dc5525804d541add4dbbae0
SHA1955f87e370ac487f617d7e8df7cd7a44bd11a80f
SHA256c0a1eb0c14c3a9dfd54e8ab7abbaa794efd01e0b4ca2e7e0a8f62efe7272a872
SHA5127aa2e2feeff4f8dab2fc3e82e84214d86257da591071013fdd3faf502f420c290c404e97756270a6f5dc996ea92ed984afcb21862d1e0bcfa78b264142c0dcd1
-
memory/676-63-0x0000000000000000-mapping.dmp
-
memory/840-57-0x0000000000000000-mapping.dmp
-
memory/840-62-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB
-
memory/840-65-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB
-
memory/1740-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1740-55-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB
-
memory/1740-61-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB