Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:36
Behavioral task
behavioral1
Sample
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe
Resource
win10v2004-20221111-en
General
-
Target
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe
-
Size
135KB
-
MD5
b61d8d07574e0650adb25bdf1c3e6c5f
-
SHA1
1cc33ddb775273ba5f1639dfff2344d78af65d1d
-
SHA256
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2
-
SHA512
ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4
-
SSDEEP
768:5qW4V6+yDRpcnugrnskz+09lQk4GzjV0XEc2JP1iK2SwX7R81yqBP:gW4VcDRWugL/SclQBY50XvUP1R1fF
Malware Config
Extracted
njrat
0.7d
Hacked
maistro.no-ip.org:1177
89858a26c3b4f367dbcfa95959e39d35
-
reg_key
89858a26c3b4f367dbcfa95959e39d35
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ahmed.exepid process 1340 ahmed.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exepid process 1956 a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
ahmed.exedescription pid process Token: SeDebugPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe Token: 33 1340 ahmed.exe Token: SeIncBasePriorityPrivilege 1340 ahmed.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exeahmed.exedescription pid process target process PID 1956 wrote to memory of 1340 1956 a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe ahmed.exe PID 1956 wrote to memory of 1340 1956 a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe ahmed.exe PID 1956 wrote to memory of 1340 1956 a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe ahmed.exe PID 1956 wrote to memory of 1340 1956 a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe ahmed.exe PID 1340 wrote to memory of 956 1340 ahmed.exe netsh.exe PID 1340 wrote to memory of 956 1340 ahmed.exe netsh.exe PID 1340 wrote to memory of 956 1340 ahmed.exe netsh.exe PID 1340 wrote to memory of 956 1340 ahmed.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe"C:\Users\Admin\AppData\Local\Temp\a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Roaming\ahmed.exe"C:\Users\Admin\AppData\Roaming\ahmed.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ahmed.exe" "ahmed.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ahmed.exeFilesize
135KB
MD5b61d8d07574e0650adb25bdf1c3e6c5f
SHA11cc33ddb775273ba5f1639dfff2344d78af65d1d
SHA256a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2
SHA512ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4
-
C:\Users\Admin\AppData\Roaming\ahmed.exeFilesize
135KB
MD5b61d8d07574e0650adb25bdf1c3e6c5f
SHA11cc33ddb775273ba5f1639dfff2344d78af65d1d
SHA256a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2
SHA512ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4
-
\Users\Admin\AppData\Roaming\ahmed.exeFilesize
135KB
MD5b61d8d07574e0650adb25bdf1c3e6c5f
SHA11cc33ddb775273ba5f1639dfff2344d78af65d1d
SHA256a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2
SHA512ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4
-
memory/956-64-0x0000000000000000-mapping.dmp
-
memory/1340-58-0x0000000000000000-mapping.dmp
-
memory/1340-63-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1340-66-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1956-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1956-55-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1956-56-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1956-62-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB