Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-03-2023 15:45
Behavioral task
behavioral1
Sample
123acf74540b652a549c5d664b627663.exe
Resource
win7-20230220-en
General
-
Target
123acf74540b652a549c5d664b627663.exe
-
Size
93KB
-
MD5
123acf74540b652a549c5d664b627663
-
SHA1
57a8230ac3fa6fe42a563c3355aa0512f4939098
-
SHA256
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
-
SHA512
95a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
SSDEEP
768:rY30UBnkpjTMpALPGMtsas88EtNXhe9Y1mxCXxrjEtCdnl2pi1Rz4Rk3asGdpxgM:lURkVbPGHz88EbB1pjEwzGi1dDWDxgS
Malware Config
Extracted
njrat
0.7d
HacKed
YXJ0LW5vdmVsdHkuYXQucGx5Lmdn:MjU1NjU=
8a45c8c850efba42d799d8b1b94ad051
-
reg_key
8a45c8c850efba42d799d8b1b94ad051
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2032 server.exe -
Loads dropped DLL 2 IoCs
Processes:
123acf74540b652a549c5d664b627663.exepid process 1728 123acf74540b652a549c5d664b627663.exe 1728 123acf74540b652a549c5d664b627663.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe 2032 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2032 server.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe Token: 33 2032 server.exe Token: SeIncBasePriorityPrivilege 2032 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
123acf74540b652a549c5d664b627663.exeserver.exedescription pid process target process PID 1728 wrote to memory of 2032 1728 123acf74540b652a549c5d664b627663.exe server.exe PID 1728 wrote to memory of 2032 1728 123acf74540b652a549c5d664b627663.exe server.exe PID 1728 wrote to memory of 2032 1728 123acf74540b652a549c5d664b627663.exe server.exe PID 1728 wrote to memory of 2032 1728 123acf74540b652a549c5d664b627663.exe server.exe PID 2032 wrote to memory of 1476 2032 server.exe netsh.exe PID 2032 wrote to memory of 1476 2032 server.exe netsh.exe PID 2032 wrote to memory of 1476 2032 server.exe netsh.exe PID 2032 wrote to memory of 1476 2032 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\123acf74540b652a549c5d664b627663.exe"C:\Users\Admin\AppData\Local\Temp\123acf74540b652a549c5d664b627663.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD52099bb64fd1770d321df364f99b658d1
SHA13124edeaa14c060becfa8b980ed77db15d56a9e3
SHA256d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d
SHA5123481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
memory/1728-55-0x0000000000500000-0x0000000000540000-memory.dmpFilesize
256KB
-
memory/2032-68-0x0000000001FC0000-0x0000000002000000-memory.dmpFilesize
256KB
-
memory/2032-69-0x0000000001FC0000-0x0000000002000000-memory.dmpFilesize
256KB