Analysis
-
max time kernel
188s -
max time network
234s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
2f79aaf512689c9403db74af2edb79ac.exe
Resource
win7-20221111-en
General
-
Target
2f79aaf512689c9403db74af2edb79ac.exe
-
Size
484KB
-
MD5
2f79aaf512689c9403db74af2edb79ac
-
SHA1
63f197e4139dafa86daa135e910cebb5c515d196
-
SHA256
4099691b6923caf26f04c475c83d2eabbee3167061cb9d683c67cf36e63b31a9
-
SHA512
dbcf00436f34a71da3b44ecf16647ffbfb99d307bf7975abacc8c640f78e5a4ec55c014380d626529ef94ae557e01a9f685e3aba9c660e4d02faf38e21a71850
-
SSDEEP
6144:x/iQb+ckQsH8TDRGKJkSvGUlYG2VT+tr08yZPzkLQsJVQc1VTNN2HMDgtHxyPw5:oQnk3GDYKGcblMT+tr08yZwL1p8Hx+w5
Malware Config
Extracted
njrat
im523
HacKed
6.tcp.ngrok.io:15907
55beb0adf3929af15490d2dcbd04f397
-
reg_key
55beb0adf3929af15490d2dcbd04f397
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1180 Server.sfx.exe 1752 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1876 netsh.exe -
Loads dropped DLL 4 IoCs
pid Process 584 cmd.exe 1180 Server.sfx.exe 1180 Server.sfx.exe 1180 Server.sfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe Token: 33 1752 Server.exe Token: SeIncBasePriorityPrivilege 1752 Server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 952 wrote to memory of 584 952 2f79aaf512689c9403db74af2edb79ac.exe 28 PID 952 wrote to memory of 584 952 2f79aaf512689c9403db74af2edb79ac.exe 28 PID 952 wrote to memory of 584 952 2f79aaf512689c9403db74af2edb79ac.exe 28 PID 952 wrote to memory of 584 952 2f79aaf512689c9403db74af2edb79ac.exe 28 PID 584 wrote to memory of 1180 584 cmd.exe 30 PID 584 wrote to memory of 1180 584 cmd.exe 30 PID 584 wrote to memory of 1180 584 cmd.exe 30 PID 584 wrote to memory of 1180 584 cmd.exe 30 PID 1180 wrote to memory of 1752 1180 Server.sfx.exe 31 PID 1180 wrote to memory of 1752 1180 Server.sfx.exe 31 PID 1180 wrote to memory of 1752 1180 Server.sfx.exe 31 PID 1180 wrote to memory of 1752 1180 Server.sfx.exe 31 PID 1752 wrote to memory of 1876 1752 Server.exe 32 PID 1752 wrote to memory of 1876 1752 Server.exe 32 PID 1752 wrote to memory of 1876 1752 Server.exe 32 PID 1752 wrote to memory of 1876 1752 Server.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f79aaf512689c9403db74af2edb79ac.exe"C:\Users\Admin\AppData\Local\Temp\2f79aaf512689c9403db74af2edb79ac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\srv.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeServer.sfx.exe -phugorodalegadidier00113⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe" "Server.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:1876
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322KB
MD55e49ee0f614f32c90b839bb108664011
SHA1dd8affe65d9b27f19a5e4200565741b6acba7dd9
SHA256654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376
SHA5122232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2
-
Filesize
322KB
MD55e49ee0f614f32c90b839bb108664011
SHA1dd8affe65d9b27f19a5e4200565741b6acba7dd9
SHA256654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376
SHA5122232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2
-
Filesize
56B
MD545727356459051f342d1e74f42e69615
SHA1c6587b44238bc36f2cd8bf7c5b010fade2ccd1cf
SHA256de5e75b1b128cf5f9409ea4402ce2b656c34c85818e071938de4451716c28c3a
SHA512d138801ebd582f24e3959e64cc85599f4333f250273b448b720bcff68d576ff27434242dabe09aba9983d55fe84b14b6c8b1a280f8986f48a0a5e97cf08105c3
-
Filesize
37KB
MD580b93f5afdc0ba9071bc68f350d55d56
SHA1a3f5b32dc496685f942052365cb67eb003cbc027
SHA2562c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29
SHA51290c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188
-
Filesize
37KB
MD580b93f5afdc0ba9071bc68f350d55d56
SHA1a3f5b32dc496685f942052365cb67eb003cbc027
SHA2562c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29
SHA51290c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188
-
Filesize
322KB
MD55e49ee0f614f32c90b839bb108664011
SHA1dd8affe65d9b27f19a5e4200565741b6acba7dd9
SHA256654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376
SHA5122232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2
-
Filesize
37KB
MD580b93f5afdc0ba9071bc68f350d55d56
SHA1a3f5b32dc496685f942052365cb67eb003cbc027
SHA2562c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29
SHA51290c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188
-
Filesize
37KB
MD580b93f5afdc0ba9071bc68f350d55d56
SHA1a3f5b32dc496685f942052365cb67eb003cbc027
SHA2562c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29
SHA51290c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188
-
Filesize
37KB
MD580b93f5afdc0ba9071bc68f350d55d56
SHA1a3f5b32dc496685f942052365cb67eb003cbc027
SHA2562c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29
SHA51290c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188