Analysis
-
max time kernel
149s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 03:34
Behavioral task
behavioral1
Sample
wearaawr.exe
Resource
win7-20230220-en
General
-
Target
wearaawr.exe
-
Size
93KB
-
MD5
63f06efdbe1f93b7a2688a0baf2256d4
-
SHA1
91d9cc6369d885534cfa7eea162964bc06c00b2b
-
SHA256
7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
-
SHA512
a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
SSDEEP
1536:CIaw0gMX6BbNrnYjS7JjEwzGi1dDxDbgS:CIwX6BbNraS7Gi1d1U
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOTI3LjAuFRANSESCOC4x:MzE0OQ==
1e837d763a164123719a02065b1e7b81
-
reg_key
1e837d763a164123719a02065b1e7b81
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1584 netsh.exe 740 netsh.exe 1844 netsh.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e837d763a164123719a02065b1e7b81Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e837d763a164123719a02065b1e7b81Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1476 server.exe -
Loads dropped DLL 2 IoCs
Processes:
wearaawr.exepid process 1704 wearaawr.exe 1704 wearaawr.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1476 server.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe Token: 33 1476 server.exe Token: SeIncBasePriorityPrivilege 1476 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
wearaawr.exeserver.exedescription pid process target process PID 1704 wrote to memory of 1476 1704 wearaawr.exe server.exe PID 1704 wrote to memory of 1476 1704 wearaawr.exe server.exe PID 1704 wrote to memory of 1476 1704 wearaawr.exe server.exe PID 1704 wrote to memory of 1476 1704 wearaawr.exe server.exe PID 1476 wrote to memory of 740 1476 server.exe netsh.exe PID 1476 wrote to memory of 740 1476 server.exe netsh.exe PID 1476 wrote to memory of 740 1476 server.exe netsh.exe PID 1476 wrote to memory of 740 1476 server.exe netsh.exe PID 1476 wrote to memory of 1844 1476 server.exe netsh.exe PID 1476 wrote to memory of 1844 1476 server.exe netsh.exe PID 1476 wrote to memory of 1844 1476 server.exe netsh.exe PID 1476 wrote to memory of 1844 1476 server.exe netsh.exe PID 1476 wrote to memory of 1584 1476 server.exe netsh.exe PID 1476 wrote to memory of 1584 1476 server.exe netsh.exe PID 1476 wrote to memory of 1584 1476 server.exe netsh.exe PID 1476 wrote to memory of 1584 1476 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wearaawr.exe"C:\Users\Admin\AppData\Local\Temp\wearaawr.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5112317d572ce0538d2d1b20d7f32170e
SHA1c7f3714c4806b907bcff7f79aa1d1c9373b77d1e
SHA256fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9
SHA512265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
memory/1704-55-0x0000000002010000-0x0000000002050000-memory.dmpFilesize
256KB