Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 01:00
Behavioral task
behavioral1
Sample
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe
Resource
win7-20230220-en
General
-
Target
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe
-
Size
93KB
-
MD5
123acf74540b652a549c5d664b627663
-
SHA1
57a8230ac3fa6fe42a563c3355aa0512f4939098
-
SHA256
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
-
SHA512
95a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
SSDEEP
768:rY30UBnkpjTMpALPGMtsas88EtNXhe9Y1mxCXxrjEtCdnl2pi1Rz4Rk3asGdpxgM:lURkVbPGHz88EbB1pjEwzGi1dDWDxgS
Malware Config
Extracted
njrat
0.7d
HacKed
YXJ0LW5vdmVsdHkuYXQucGx5Lmdn:MjU1NjU=
8a45c8c850efba42d799d8b1b94ad051
-
reg_key
8a45c8c850efba42d799d8b1b94ad051
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1320 server.exe -
Loads dropped DLL 2 IoCs
Processes:
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exepid process 1292 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe 1292 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe 1320 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1320 server.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe Token: 33 1320 server.exe Token: SeIncBasePriorityPrivilege 1320 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exeserver.exedescription pid process target process PID 1292 wrote to memory of 1320 1292 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 1292 wrote to memory of 1320 1292 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 1292 wrote to memory of 1320 1292 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 1292 wrote to memory of 1320 1292 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 1320 wrote to memory of 1688 1320 server.exe netsh.exe PID 1320 wrote to memory of 1688 1320 server.exe netsh.exe PID 1320 wrote to memory of 1688 1320 server.exe netsh.exe PID 1320 wrote to memory of 1688 1320 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe"C:\Users\Admin\AppData\Local\Temp\a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5f478c76bbb3174dbc7fabae62224f818
SHA1bed239508bad9fcd15a9bdea1e132f62468d07d1
SHA256d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a
SHA512b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
memory/1292-55-0x0000000000220000-0x0000000000260000-memory.dmpFilesize
256KB
-
memory/1320-68-0x0000000000330000-0x0000000000370000-memory.dmpFilesize
256KB
-
memory/1320-69-0x0000000000330000-0x0000000000370000-memory.dmpFilesize
256KB