Analysis
-
max time kernel
152s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:42
Behavioral task
behavioral1
Sample
3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe
Resource
win10v2004-20221111-en
General
-
Target
3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe
-
Size
23KB
-
MD5
901551435000e0fdd9fe8e1fbcad8ec1
-
SHA1
32f0c052e96880aeb930d023e89c2b76dde716c0
-
SHA256
3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8
-
SHA512
36312aaf8fcf9bcd14a63cae80d6f31d06cb39d925d6425cbf39b7a1b4efcf3486b2fbd40db5ec6b02efb14a903c249f3c824ad801ae287d6fc0280e5d0097f8
-
SSDEEP
384:w4Q+SAN7uprgvM5OSUswZXg69gbm4hfpFmRvR6JZlbw8hqIusZzZO8K:COaxVULRpcnurv
Malware Config
Extracted
njrat
0.7d
Bedo Victims
bedo112.ddns.net:5552
2d49626530415c0068a82a7da9bb7a16
-
reg_key
2d49626530415c0068a82a7da9bb7a16
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1484 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exepid process 1668 3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d49626530415c0068a82a7da9bb7a16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2d49626530415c0068a82a7da9bb7a16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exeserver.exedescription pid process target process PID 1668 wrote to memory of 1484 1668 3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe server.exe PID 1668 wrote to memory of 1484 1668 3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe server.exe PID 1668 wrote to memory of 1484 1668 3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe server.exe PID 1668 wrote to memory of 1484 1668 3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe server.exe PID 1484 wrote to memory of 808 1484 server.exe netsh.exe PID 1484 wrote to memory of 808 1484 server.exe netsh.exe PID 1484 wrote to memory of 808 1484 server.exe netsh.exe PID 1484 wrote to memory of 808 1484 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe"C:\Users\Admin\AppData\Local\Temp\3649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5901551435000e0fdd9fe8e1fbcad8ec1
SHA132f0c052e96880aeb930d023e89c2b76dde716c0
SHA2563649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8
SHA51236312aaf8fcf9bcd14a63cae80d6f31d06cb39d925d6425cbf39b7a1b4efcf3486b2fbd40db5ec6b02efb14a903c249f3c824ad801ae287d6fc0280e5d0097f8
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5901551435000e0fdd9fe8e1fbcad8ec1
SHA132f0c052e96880aeb930d023e89c2b76dde716c0
SHA2563649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8
SHA51236312aaf8fcf9bcd14a63cae80d6f31d06cb39d925d6425cbf39b7a1b4efcf3486b2fbd40db5ec6b02efb14a903c249f3c824ad801ae287d6fc0280e5d0097f8
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5901551435000e0fdd9fe8e1fbcad8ec1
SHA132f0c052e96880aeb930d023e89c2b76dde716c0
SHA2563649f08ce04d03624303cef3c3c466df9ecb052b4360113ba1a5044632ec20a8
SHA51236312aaf8fcf9bcd14a63cae80d6f31d06cb39d925d6425cbf39b7a1b4efcf3486b2fbd40db5ec6b02efb14a903c249f3c824ad801ae287d6fc0280e5d0097f8
-
memory/808-64-0x0000000000000000-mapping.dmp
-
memory/1484-58-0x0000000000000000-mapping.dmp
-
memory/1484-63-0x0000000074BB0000-0x000000007515B000-memory.dmpFilesize
5.7MB
-
memory/1484-66-0x0000000074BB0000-0x000000007515B000-memory.dmpFilesize
5.7MB
-
memory/1668-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1668-55-0x0000000074BB0000-0x000000007515B000-memory.dmpFilesize
5.7MB
-
memory/1668-56-0x0000000074BB0000-0x000000007515B000-memory.dmpFilesize
5.7MB
-
memory/1668-62-0x0000000074BB0000-0x000000007515B000-memory.dmpFilesize
5.7MB