Analysis
-
max time kernel
151s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:42
Behavioral task
behavioral1
Sample
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
Resource
win10v2004-20221111-en
General
-
Target
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
-
Size
23KB
-
MD5
b14754884befd3597f7975b9d9a5bc5b
-
SHA1
4d437d94a9c5c5e2a52aedb004970d4872c995f3
-
SHA256
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
-
SHA512
2b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
SSDEEP
384:2weXCQIreJig/8Z7SS1fEBbng6ZgL2IBPZVmRvR6JZlbw8hqIusZzZrc:hLq411URpcnun
Malware Config
Extracted
njrat
0.7d
HacKed
abatata.ddns.net:5552
e7d031ada337226244d99c1bac494695
-
reg_key
e7d031ada337226244d99c1bac494695
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 828 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exepid process 112 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\e7d031ada337226244d99c1bac494695 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e7d031ada337226244d99c1bac494695 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 828 server.exe Token: 33 828 server.exe Token: SeIncBasePriorityPrivilege 828 server.exe Token: 33 828 server.exe Token: SeIncBasePriorityPrivilege 828 server.exe Token: 33 828 server.exe Token: SeIncBasePriorityPrivilege 828 server.exe Token: 33 828 server.exe Token: SeIncBasePriorityPrivilege 828 server.exe Token: 33 828 server.exe Token: SeIncBasePriorityPrivilege 828 server.exe Token: 33 828 server.exe Token: SeIncBasePriorityPrivilege 828 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exeserver.exedescription pid process target process PID 112 wrote to memory of 828 112 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 112 wrote to memory of 828 112 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 112 wrote to memory of 828 112 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 112 wrote to memory of 828 112 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 828 wrote to memory of 308 828 server.exe netsh.exe PID 828 wrote to memory of 308 828 server.exe netsh.exe PID 828 wrote to memory of 308 828 server.exe netsh.exe PID 828 wrote to memory of 308 828 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe"C:\Users\Admin\AppData\Local\Temp\4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
memory/112-54-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB
-
memory/112-55-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/112-56-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/112-62-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/308-64-0x0000000000000000-mapping.dmp
-
memory/828-58-0x0000000000000000-mapping.dmp
-
memory/828-63-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB
-
memory/828-65-0x0000000074C30000-0x00000000751DB000-memory.dmpFilesize
5.7MB