Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 09:14
Behavioral task
behavioral1
Sample
0a7a183e777365134ecc6b30d2ef6111.exe
Resource
win7-20230220-en
General
-
Target
0a7a183e777365134ecc6b30d2ef6111.exe
-
Size
37KB
-
MD5
0a7a183e777365134ecc6b30d2ef6111
-
SHA1
5e43a2d49c2aeb6c438d9e7999215693ef90254e
-
SHA256
b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07
-
SHA512
5e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215
-
SSDEEP
384:VSSvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzX0:MS7TZ38fvCv3E1c1rM+rMRa8NuE3t
Malware Config
Extracted
njrat
im523
HacKed
0.tcp.eu.ngrok.io:14888
4bf7c75d2b9974791b37b4aa6f0605e4
-
reg_key
4bf7c75d2b9974791b37b4aa6f0605e4
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1028 server.exe -
Loads dropped DLL 1 IoCs
Processes:
0a7a183e777365134ecc6b30d2ef6111.exepid process 1716 0a7a183e777365134ecc6b30d2ef6111.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0a7a183e777365134ecc6b30d2ef6111.exeserver.exedescription pid process target process PID 1716 wrote to memory of 1028 1716 0a7a183e777365134ecc6b30d2ef6111.exe server.exe PID 1716 wrote to memory of 1028 1716 0a7a183e777365134ecc6b30d2ef6111.exe server.exe PID 1716 wrote to memory of 1028 1716 0a7a183e777365134ecc6b30d2ef6111.exe server.exe PID 1716 wrote to memory of 1028 1716 0a7a183e777365134ecc6b30d2ef6111.exe server.exe PID 1028 wrote to memory of 1112 1028 server.exe netsh.exe PID 1028 wrote to memory of 1112 1028 server.exe netsh.exe PID 1028 wrote to memory of 1112 1028 server.exe netsh.exe PID 1028 wrote to memory of 1112 1028 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7a183e777365134ecc6b30d2ef6111.exe"C:\Users\Admin\AppData\Local\Temp\0a7a183e777365134ecc6b30d2ef6111.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
37KB
MD50a7a183e777365134ecc6b30d2ef6111
SHA15e43a2d49c2aeb6c438d9e7999215693ef90254e
SHA256b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07
SHA5125e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
37KB
MD50a7a183e777365134ecc6b30d2ef6111
SHA15e43a2d49c2aeb6c438d9e7999215693ef90254e
SHA256b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07
SHA5125e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
37KB
MD50a7a183e777365134ecc6b30d2ef6111
SHA15e43a2d49c2aeb6c438d9e7999215693ef90254e
SHA256b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07
SHA5125e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215
-
memory/1028-62-0x0000000000160000-0x00000000001A0000-memory.dmpFilesize
256KB
-
memory/1716-54-0x0000000000A50000-0x0000000000A90000-memory.dmpFilesize
256KB