Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:43
Behavioral task
behavioral1
Sample
0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe
Resource
win10v2004-20220812-en
General
-
Target
0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe
-
Size
23KB
-
MD5
5a8b9ebda969634bab664c077b431da7
-
SHA1
3507c4ad69c29ad9146748d1dceec16ea2bad0ea
-
SHA256
0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d
-
SHA512
96e5a65bddf0a52e1c764d6a6dfbd5acaf1dadabda395e0f82e3ab47f7445b6319d187ded84900de0c919505b77f73965aa5aa756c6322d0b54047d2972beb40
-
SSDEEP
384:LcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZqA:Q30py6vhxaRpcnuI
Malware Config
Extracted
njrat
0.7d
HacKed
192.168.1.110:5552
b4647b9af4204af569c0253484a5ae5a
-
reg_key
b4647b9af4204af569c0253484a5ae5a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1332 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exepid process 1600 0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\b4647b9af4204af569c0253484a5ae5a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b4647b9af4204af569c0253484a5ae5a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe Token: 33 1332 server.exe Token: SeIncBasePriorityPrivilege 1332 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exeserver.exedescription pid process target process PID 1600 wrote to memory of 1332 1600 0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe server.exe PID 1600 wrote to memory of 1332 1600 0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe server.exe PID 1600 wrote to memory of 1332 1600 0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe server.exe PID 1600 wrote to memory of 1332 1600 0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe server.exe PID 1332 wrote to memory of 1728 1332 server.exe netsh.exe PID 1332 wrote to memory of 1728 1332 server.exe netsh.exe PID 1332 wrote to memory of 1728 1332 server.exe netsh.exe PID 1332 wrote to memory of 1728 1332 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe"C:\Users\Admin\AppData\Local\Temp\0873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55a8b9ebda969634bab664c077b431da7
SHA13507c4ad69c29ad9146748d1dceec16ea2bad0ea
SHA2560873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d
SHA51296e5a65bddf0a52e1c764d6a6dfbd5acaf1dadabda395e0f82e3ab47f7445b6319d187ded84900de0c919505b77f73965aa5aa756c6322d0b54047d2972beb40
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55a8b9ebda969634bab664c077b431da7
SHA13507c4ad69c29ad9146748d1dceec16ea2bad0ea
SHA2560873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d
SHA51296e5a65bddf0a52e1c764d6a6dfbd5acaf1dadabda395e0f82e3ab47f7445b6319d187ded84900de0c919505b77f73965aa5aa756c6322d0b54047d2972beb40
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55a8b9ebda969634bab664c077b431da7
SHA13507c4ad69c29ad9146748d1dceec16ea2bad0ea
SHA2560873645be495b8ad95cd7934e510f7cfa99805babe0f477ef3380e3c54d1795d
SHA51296e5a65bddf0a52e1c764d6a6dfbd5acaf1dadabda395e0f82e3ab47f7445b6319d187ded84900de0c919505b77f73965aa5aa756c6322d0b54047d2972beb40
-
memory/1332-57-0x0000000000000000-mapping.dmp
-
memory/1332-62-0x0000000074100000-0x00000000746AB000-memory.dmpFilesize
5.7MB
-
memory/1332-65-0x0000000074100000-0x00000000746AB000-memory.dmpFilesize
5.7MB
-
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1600-55-0x0000000074100000-0x00000000746AB000-memory.dmpFilesize
5.7MB
-
memory/1600-61-0x0000000074100000-0x00000000746AB000-memory.dmpFilesize
5.7MB
-
memory/1728-63-0x0000000000000000-mapping.dmp