Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 23:15
Behavioral task
behavioral1
Sample
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
Resource
win10v2004-20221111-en
General
-
Target
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
-
Size
44KB
-
MD5
10d10d703487f66c184aebcc89ee1cdc
-
SHA1
af4c294e54ed01d71e0ee1b33af9c1fee178ef73
-
SHA256
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272
-
SHA512
f6b9714db6bec47229fd326d7ebcfac855a33e3a5f82429d04d34719276e18cb6d447c66ac364ec6dcc017ca529b7c0f31d9d4514769e839e7419f62e9741df3
-
SSDEEP
768:Os4UAZQv/27NYsDkfZPoIqlHepBKh0p29SgRcrsnWeDmtUov:OrU7m7N143wEKhG29jcrGBmUM
Malware Config
Extracted
njrat
0.6.4
system
saadk.no-ip.biz:1177
12ce4e06a81e8d54fd01d9b762f1b1bb
-
reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Tempserver.exesystem.exepid process 840 Tempserver.exe 584 system.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 2 IoCs
Processes:
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exeTempserver.exepid process 1740 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe 840 Tempserver.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
system.exepid process 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe 584 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 584 system.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exeTempserver.exesystem.exedescription pid process target process PID 1740 wrote to memory of 840 1740 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 1740 wrote to memory of 840 1740 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 1740 wrote to memory of 840 1740 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 1740 wrote to memory of 840 1740 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 840 wrote to memory of 584 840 Tempserver.exe system.exe PID 840 wrote to memory of 584 840 Tempserver.exe system.exe PID 840 wrote to memory of 584 840 Tempserver.exe system.exe PID 840 wrote to memory of 584 840 Tempserver.exe system.exe PID 584 wrote to memory of 1932 584 system.exe netsh.exe PID 584 wrote to memory of 1932 584 system.exe netsh.exe PID 584 wrote to memory of 1932 584 system.exe netsh.exe PID 584 wrote to memory of 1932 584 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe"C:\Users\Admin\AppData\Local\Temp\ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
memory/584-62-0x0000000000000000-mapping.dmp
-
memory/584-69-0x0000000073950000-0x0000000073EFB000-memory.dmpFilesize
5.7MB
-
memory/584-70-0x0000000073950000-0x0000000073EFB000-memory.dmpFilesize
5.7MB
-
memory/840-57-0x0000000000000000-mapping.dmp
-
memory/840-66-0x0000000073950000-0x0000000073EFB000-memory.dmpFilesize
5.7MB
-
memory/1740-54-0x0000000001350000-0x0000000001362000-memory.dmpFilesize
72KB
-
memory/1740-55-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1932-67-0x0000000000000000-mapping.dmp