Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 02:21
Behavioral task
behavioral1
Sample
5124aaebf1ab6da085b27c6c2ba0cc51.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5124aaebf1ab6da085b27c6c2ba0cc51.exe
Resource
win10v2004-20220812-en
General
-
Target
5124aaebf1ab6da085b27c6c2ba0cc51.exe
-
Size
23KB
-
MD5
5124aaebf1ab6da085b27c6c2ba0cc51
-
SHA1
fbc12d3abe1925183aca35b6576650fc8e70396f
-
SHA256
a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
-
SHA512
e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
SSDEEP
384:p8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZ35:xY+sNKqNHnSdRpcnuy
Malware Config
Extracted
njrat
0.7d
zzzzz
daleriamz.ddns.net:222
44b2ba132312d6047acd9b3fee38fa26
-
reg_key
44b2ba132312d6047acd9b3fee38fa26
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 932 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44b2ba132312d6047acd9b3fee38fa26.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44b2ba132312d6047acd9b3fee38fa26.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
5124aaebf1ab6da085b27c6c2ba0cc51.exepid process 2020 5124aaebf1ab6da085b27c6c2ba0cc51.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\44b2ba132312d6047acd9b3fee38fa26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\44b2ba132312d6047acd9b3fee38fa26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe Token: 33 932 server.exe Token: SeIncBasePriorityPrivilege 932 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5124aaebf1ab6da085b27c6c2ba0cc51.exeserver.exedescription pid process target process PID 2020 wrote to memory of 932 2020 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 2020 wrote to memory of 932 2020 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 2020 wrote to memory of 932 2020 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 2020 wrote to memory of 932 2020 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 932 wrote to memory of 1080 932 server.exe netsh.exe PID 932 wrote to memory of 1080 932 server.exe netsh.exe PID 932 wrote to memory of 1080 932 server.exe netsh.exe PID 932 wrote to memory of 1080 932 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5124aaebf1ab6da085b27c6c2ba0cc51.exe"C:\Users\Admin\AppData\Local\Temp\5124aaebf1ab6da085b27c6c2ba0cc51.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55124aaebf1ab6da085b27c6c2ba0cc51
SHA1fbc12d3abe1925183aca35b6576650fc8e70396f
SHA256a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
SHA512e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55124aaebf1ab6da085b27c6c2ba0cc51
SHA1fbc12d3abe1925183aca35b6576650fc8e70396f
SHA256a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
SHA512e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55124aaebf1ab6da085b27c6c2ba0cc51
SHA1fbc12d3abe1925183aca35b6576650fc8e70396f
SHA256a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
SHA512e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
memory/932-57-0x0000000000000000-mapping.dmp
-
memory/932-62-0x0000000074C80000-0x000000007522B000-memory.dmpFilesize
5.7MB
-
memory/932-65-0x0000000074C80000-0x000000007522B000-memory.dmpFilesize
5.7MB
-
memory/1080-63-0x0000000000000000-mapping.dmp
-
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/2020-55-0x0000000074C80000-0x000000007522B000-memory.dmpFilesize
5.7MB
-
memory/2020-61-0x0000000074C80000-0x000000007522B000-memory.dmpFilesize
5.7MB