Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/11/2022, 17:54
Behavioral task
behavioral1
Sample
c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe
Resource
win7-20220812-en
General
-
Target
c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe
-
Size
37KB
-
MD5
2817c011989e9651e3b2bc75e2bb0190
-
SHA1
254230a43c2f92381595a6bb03fe75234efe191e
-
SHA256
c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
-
SHA512
bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309
-
SSDEEP
384:fOveoixJhl7OHg1WykrppPl48uiX60rAF+rMRTyN/0L+EcoinblneHQM3epzXlNi:2v+R1NkrppqFidrM+rMRa8Nuzwt
Malware Config
Extracted
njrat
im523
HacKed
5.tcp.eu.ngrok.io:17656
5c1305f84d4de84c49a562943d8b6467
-
reg_key
5c1305f84d4de84c49a562943d8b6467
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1992 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1748 netsh.exe -
Loads dropped DLL 1 IoCs
pid Process 1976 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe Token: 33 1992 server.exe Token: SeIncBasePriorityPrivilege 1992 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1992 1976 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 28 PID 1976 wrote to memory of 1992 1976 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 28 PID 1976 wrote to memory of 1992 1976 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 28 PID 1976 wrote to memory of 1992 1976 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 28 PID 1992 wrote to memory of 1748 1992 server.exe 29 PID 1992 wrote to memory of 1748 1992 server.exe 29 PID 1992 wrote to memory of 1748 1992 server.exe 29 PID 1992 wrote to memory of 1748 1992 server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe"C:\Users\Admin\AppData\Local\Temp\c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD52817c011989e9651e3b2bc75e2bb0190
SHA1254230a43c2f92381595a6bb03fe75234efe191e
SHA256c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
SHA512bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309
-
Filesize
37KB
MD52817c011989e9651e3b2bc75e2bb0190
SHA1254230a43c2f92381595a6bb03fe75234efe191e
SHA256c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
SHA512bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309
-
Filesize
37KB
MD52817c011989e9651e3b2bc75e2bb0190
SHA1254230a43c2f92381595a6bb03fe75234efe191e
SHA256c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
SHA512bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309