Analysis
-
max time kernel
243s -
max time network
356s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:38
Behavioral task
behavioral1
Sample
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe
Resource
win10v2004-20220901-en
General
-
Target
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe
-
Size
23KB
-
MD5
4365a0d1044bc78fa41fd4191678efe5
-
SHA1
dfac2a71df39d25541322e6474c347ef38c9c438
-
SHA256
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
-
SHA512
17993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
SSDEEP
384:k8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZxR:jXcwt3tRpcnuI
Malware Config
Extracted
njrat
0.7d
dinaro
barby.no-ip.biz:1177
be38e079e21e7a803483d18fb29a86c3
-
reg_key
be38e079e21e7a803483d18fb29a86c3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1904 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be38e079e21e7a803483d18fb29a86c3.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be38e079e21e7a803483d18fb29a86c3.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exepid process 472 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\be38e079e21e7a803483d18fb29a86c3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\be38e079e21e7a803483d18fb29a86c3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe Token: 33 1904 server.exe Token: SeIncBasePriorityPrivilege 1904 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exeserver.exedescription pid process target process PID 472 wrote to memory of 1904 472 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 472 wrote to memory of 1904 472 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 472 wrote to memory of 1904 472 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 472 wrote to memory of 1904 472 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 1904 wrote to memory of 1632 1904 server.exe netsh.exe PID 1904 wrote to memory of 1632 1904 server.exe netsh.exe PID 1904 wrote to memory of 1632 1904 server.exe netsh.exe PID 1904 wrote to memory of 1632 1904 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe"C:\Users\Admin\AppData\Local\Temp\78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54365a0d1044bc78fa41fd4191678efe5
SHA1dfac2a71df39d25541322e6474c347ef38c9c438
SHA25678670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
SHA51217993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54365a0d1044bc78fa41fd4191678efe5
SHA1dfac2a71df39d25541322e6474c347ef38c9c438
SHA25678670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
SHA51217993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54365a0d1044bc78fa41fd4191678efe5
SHA1dfac2a71df39d25541322e6474c347ef38c9c438
SHA25678670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
SHA51217993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
memory/472-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmpFilesize
8KB
-
memory/472-55-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/472-61-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/1632-63-0x0000000000000000-mapping.dmp
-
memory/1904-57-0x0000000000000000-mapping.dmp
-
memory/1904-62-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/1904-64-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB