Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 11:31
Behavioral task
behavioral1
Sample
c0dbbc6e77a3b9cdad5563e7c814e053.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c0dbbc6e77a3b9cdad5563e7c814e053.exe
Resource
win10v2004-20221111-en
General
-
Target
c0dbbc6e77a3b9cdad5563e7c814e053.exe
-
Size
37KB
-
MD5
c0dbbc6e77a3b9cdad5563e7c814e053
-
SHA1
c814d27d1c1e7963c7d3ba533025918d70fc1ef2
-
SHA256
62723ed12c72ceb21bc77c63811f58ab082b36bd8487531d8b52e4de5030c7f1
-
SHA512
7f6bd0194165cc713a35139f1a342fe3150d0b53996985d8cb487b1c1cd9ea352d2d21941bd9f26920f73953185d814c9c95e976b82ccd1cd66fb50e6258364a
-
SSDEEP
384:OA0GK3hUidkcXR21cGMy8P4E5fXUFl6M0lrAF+rMRTyN/0L+EcoinblneHQM3ep:R0GK3rLGv8P4E58qMorM+rMRa8Nunmt
Malware Config
Extracted
njrat
im523
HacKed
104.22.32.240:443
a1d3fe53d6645a42400095b4adec79f5
-
reg_key
a1d3fe53d6645a42400095b4adec79f5
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 916 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1d3fe53d6645a42400095b4adec79f5.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1d3fe53d6645a42400095b4adec79f5.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1d3fe53d6645a42400095b4adec79f5 = "\"C:\\Windows\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a1d3fe53d6645a42400095b4adec79f5 = "\"C:\\Windows\\server.exe\" .." server.exe -
Drops file in Windows directory 3 IoCs
Processes:
c0dbbc6e77a3b9cdad5563e7c814e053.exeserver.exedescription ioc process File opened for modification C:\Windows\server.exe c0dbbc6e77a3b9cdad5563e7c814e053.exe File opened for modification C:\Windows\server.exe server.exe File created C:\Windows\server.exe c0dbbc6e77a3b9cdad5563e7c814e053.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 832 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe 916 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 916 server.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
server.exetaskkill.exedescription pid process Token: SeDebugPrivilege 916 server.exe Token: SeDebugPrivilege 832 taskkill.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe Token: 33 916 server.exe Token: SeIncBasePriorityPrivilege 916 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c0dbbc6e77a3b9cdad5563e7c814e053.exeserver.exedescription pid process target process PID 2016 wrote to memory of 916 2016 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 2016 wrote to memory of 916 2016 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 2016 wrote to memory of 916 2016 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 2016 wrote to memory of 916 2016 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 916 wrote to memory of 576 916 server.exe netsh.exe PID 916 wrote to memory of 576 916 server.exe netsh.exe PID 916 wrote to memory of 576 916 server.exe netsh.exe PID 916 wrote to memory of 576 916 server.exe netsh.exe PID 916 wrote to memory of 832 916 server.exe taskkill.exe PID 916 wrote to memory of 832 916 server.exe taskkill.exe PID 916 wrote to memory of 832 916 server.exe taskkill.exe PID 916 wrote to memory of 832 916 server.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0dbbc6e77a3b9cdad5563e7c814e053.exe"C:\Users\Admin\AppData\Local\Temp\c0dbbc6e77a3b9cdad5563e7c814e053.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\server.exeFilesize
37KB
MD5c0dbbc6e77a3b9cdad5563e7c814e053
SHA1c814d27d1c1e7963c7d3ba533025918d70fc1ef2
SHA25662723ed12c72ceb21bc77c63811f58ab082b36bd8487531d8b52e4de5030c7f1
SHA5127f6bd0194165cc713a35139f1a342fe3150d0b53996985d8cb487b1c1cd9ea352d2d21941bd9f26920f73953185d814c9c95e976b82ccd1cd66fb50e6258364a
-
C:\Windows\server.exeFilesize
37KB
MD5c0dbbc6e77a3b9cdad5563e7c814e053
SHA1c814d27d1c1e7963c7d3ba533025918d70fc1ef2
SHA25662723ed12c72ceb21bc77c63811f58ab082b36bd8487531d8b52e4de5030c7f1
SHA5127f6bd0194165cc713a35139f1a342fe3150d0b53996985d8cb487b1c1cd9ea352d2d21941bd9f26920f73953185d814c9c95e976b82ccd1cd66fb50e6258364a
-
memory/576-62-0x0000000000000000-mapping.dmp
-
memory/832-63-0x0000000000000000-mapping.dmp
-
memory/916-56-0x0000000000000000-mapping.dmp
-
memory/916-61-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/916-65-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/2016-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/2016-55-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/2016-60-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB