Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 00:31
Static task
static1
Behavioral task
behavioral1
Sample
4c2d57d34e69887b905ac39fbb58d736.exe
Resource
win7-20230220-en
General
-
Target
4c2d57d34e69887b905ac39fbb58d736.exe
-
Size
199KB
-
MD5
4c2d57d34e69887b905ac39fbb58d736
-
SHA1
a35b9371a42a87a814dd68ff9db30f6e1e95a008
-
SHA256
75e794dd1ddfe6d2585dc9031c32fa1c27515d08476d7d2dd52dd650bfbb934d
-
SHA512
42690607f291369b3231d9fcf2e885670eb34d81fc8e8b20236c1f5fa80f30dbefc3f4cfae9481c71cd04c89952131b521e57aad46e2eef3cfb90e75464a84f3
-
SSDEEP
3072:VRs0YSY6FGHBu/84ozP1a4HjQPp4UgcaaeN3AxB3qRrvCG2KSWFPQ4pn1iqZyt:L4HY/8aOj44UVD0Qx5qX2KxFPQsn1NZO
Malware Config
Extracted
njrat
0.7d
HacKed
Zm9ycnV4eC5kZG5zLm5ldAStrikStrik:OTA5MA==
30bf20a7c4c21398efee41949036ac7b
-
reg_key
30bf20a7c4c21398efee41949036ac7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1672 netsh.exe 300 netsh.exe 1020 netsh.exe -
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30bf20a7c4c21398efee41949036ac7bWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30bf20a7c4c21398efee41949036ac7bWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 980 server.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe 980 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 980 server.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
4c2d57d34e69887b905ac39fbb58d736.exeserver.exedescription pid process Token: SeDebugPrivilege 2040 4c2d57d34e69887b905ac39fbb58d736.exe Token: SeDebugPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe Token: 33 980 server.exe Token: SeIncBasePriorityPrivilege 980 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4c2d57d34e69887b905ac39fbb58d736.exeserver.exedescription pid process target process PID 2040 wrote to memory of 980 2040 4c2d57d34e69887b905ac39fbb58d736.exe server.exe PID 2040 wrote to memory of 980 2040 4c2d57d34e69887b905ac39fbb58d736.exe server.exe PID 2040 wrote to memory of 980 2040 4c2d57d34e69887b905ac39fbb58d736.exe server.exe PID 980 wrote to memory of 1672 980 server.exe netsh.exe PID 980 wrote to memory of 1672 980 server.exe netsh.exe PID 980 wrote to memory of 1672 980 server.exe netsh.exe PID 980 wrote to memory of 300 980 server.exe netsh.exe PID 980 wrote to memory of 300 980 server.exe netsh.exe PID 980 wrote to memory of 300 980 server.exe netsh.exe PID 980 wrote to memory of 1020 980 server.exe netsh.exe PID 980 wrote to memory of 1020 980 server.exe netsh.exe PID 980 wrote to memory of 1020 980 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c2d57d34e69887b905ac39fbb58d736.exe"C:\Users\Admin\AppData\Local\Temp\4c2d57d34e69887b905ac39fbb58d736.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
199KB
MD54c2d57d34e69887b905ac39fbb58d736
SHA1a35b9371a42a87a814dd68ff9db30f6e1e95a008
SHA25675e794dd1ddfe6d2585dc9031c32fa1c27515d08476d7d2dd52dd650bfbb934d
SHA51242690607f291369b3231d9fcf2e885670eb34d81fc8e8b20236c1f5fa80f30dbefc3f4cfae9481c71cd04c89952131b521e57aad46e2eef3cfb90e75464a84f3
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
199KB
MD54c2d57d34e69887b905ac39fbb58d736
SHA1a35b9371a42a87a814dd68ff9db30f6e1e95a008
SHA25675e794dd1ddfe6d2585dc9031c32fa1c27515d08476d7d2dd52dd650bfbb934d
SHA51242690607f291369b3231d9fcf2e885670eb34d81fc8e8b20236c1f5fa80f30dbefc3f4cfae9481c71cd04c89952131b521e57aad46e2eef3cfb90e75464a84f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30bf20a7c4c21398efee41949036ac7bWindows Update.exeFilesize
199KB
MD54c2d57d34e69887b905ac39fbb58d736
SHA1a35b9371a42a87a814dd68ff9db30f6e1e95a008
SHA25675e794dd1ddfe6d2585dc9031c32fa1c27515d08476d7d2dd52dd650bfbb934d
SHA51242690607f291369b3231d9fcf2e885670eb34d81fc8e8b20236c1f5fa80f30dbefc3f4cfae9481c71cd04c89952131b521e57aad46e2eef3cfb90e75464a84f3
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD569cf10399d0d1350c3698099796624cb
SHA1d0b58b76ff065f51172971853a7da414286d9ea7
SHA256a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48
SHA5125e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7
-
memory/980-63-0x0000000001320000-0x000000000132C000-memory.dmpFilesize
48KB
-
memory/980-64-0x000000001B240000-0x000000001B2C0000-memory.dmpFilesize
512KB
-
memory/980-78-0x00000000004C0000-0x00000000004CA000-memory.dmpFilesize
40KB
-
memory/2040-54-0x0000000000A00000-0x0000000000A0C000-memory.dmpFilesize
48KB
-
memory/2040-55-0x0000000000560000-0x000000000057C000-memory.dmpFilesize
112KB
-
memory/2040-57-0x000000001B2C0000-0x000000001B340000-memory.dmpFilesize
512KB