Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 01:36
Behavioral task
behavioral1
Sample
56adfb1405dcba693c73ba64a9d1c463.exe
Resource
win7-20230220-en
General
-
Target
56adfb1405dcba693c73ba64a9d1c463.exe
-
Size
93KB
-
MD5
56adfb1405dcba693c73ba64a9d1c463
-
SHA1
294664d8ebda0f36572a1fb44c84a1df55376493
-
SHA256
889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
-
SHA512
9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
-
SSDEEP
1536:ZerkVbPGHz88Ebb1pjEwzGi1dDXBDrgS:ZekPGHzmf1mi1drxk
Malware Config
Extracted
njrat
0.7d
lox
YWxyZWFkeS1oZXJlaW4uYXQucGx5Lmdn:NTgxNTg=
7585b9138af20fd06384c70df526bb85
-
reg_key
7585b9138af20fd06384c70df526bb85
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7585b9138af20fd06384c70df526bb85Windows System.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Comporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Comporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7585b9138af20fd06384c70df526bb85Windows System.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 364 server.exe -
Loads dropped DLL 2 IoCs
Processes:
56adfb1405dcba693c73ba64a9d1c463.exepid process 1584 56adfb1405dcba693c73ba64a9d1c463.exe 1584 56adfb1405dcba693c73ba64a9d1c463.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe 364 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 364 server.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe Token: 33 364 server.exe Token: SeIncBasePriorityPrivilege 364 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
56adfb1405dcba693c73ba64a9d1c463.exeserver.exedescription pid process target process PID 1584 wrote to memory of 364 1584 56adfb1405dcba693c73ba64a9d1c463.exe server.exe PID 1584 wrote to memory of 364 1584 56adfb1405dcba693c73ba64a9d1c463.exe server.exe PID 1584 wrote to memory of 364 1584 56adfb1405dcba693c73ba64a9d1c463.exe server.exe PID 1584 wrote to memory of 364 1584 56adfb1405dcba693c73ba64a9d1c463.exe server.exe PID 364 wrote to memory of 1716 364 server.exe netsh.exe PID 364 wrote to memory of 1716 364 server.exe netsh.exe PID 364 wrote to memory of 1716 364 server.exe netsh.exe PID 364 wrote to memory of 1716 364 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56adfb1405dcba693c73ba64a9d1c463.exe"C:\Users\Admin\AppData\Local\Temp\56adfb1405dcba693c73ba64a9d1c463.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5f478c76bbb3174dbc7fabae62224f818
SHA1bed239508bad9fcd15a9bdea1e132f62468d07d1
SHA256d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a
SHA512b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD556adfb1405dcba693c73ba64a9d1c463
SHA1294664d8ebda0f36572a1fb44c84a1df55376493
SHA256889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
SHA5129a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD556adfb1405dcba693c73ba64a9d1c463
SHA1294664d8ebda0f36572a1fb44c84a1df55376493
SHA256889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
SHA5129a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD556adfb1405dcba693c73ba64a9d1c463
SHA1294664d8ebda0f36572a1fb44c84a1df55376493
SHA256889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
SHA5129a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD556adfb1405dcba693c73ba64a9d1c463
SHA1294664d8ebda0f36572a1fb44c84a1df55376493
SHA256889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
SHA5129a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD556adfb1405dcba693c73ba64a9d1c463
SHA1294664d8ebda0f36572a1fb44c84a1df55376493
SHA256889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
SHA5129a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
-
memory/364-68-0x00000000009D0000-0x0000000000A10000-memory.dmpFilesize
256KB
-
memory/364-76-0x00000000009D0000-0x0000000000A10000-memory.dmpFilesize
256KB
-
memory/364-77-0x00000000009D0000-0x0000000000A10000-memory.dmpFilesize
256KB
-
memory/1584-54-0x00000000001E0000-0x0000000000220000-memory.dmpFilesize
256KB