Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
01-07-2023 07:44
Behavioral task
behavioral1
Sample
ba36c9b8fec0735647e7984eb.exe
Resource
win7-20230621-en
General
-
Target
ba36c9b8fec0735647e7984eb.exe
-
Size
106KB
-
MD5
ba36c9b8fec0735647e7984eb772aab3
-
SHA1
91a2d15a954439e122daa782078e1e6c573de2a3
-
SHA256
035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
-
SHA512
a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
SSDEEP
1536:e1+4dMS6ZueRX9mHUxOM1GeYjP1aed/y4Y3Gv:e10S6ZmUcvbjAed/nu
Malware Config
Extracted
njrat
0.7d
Infected
hakim32.ddns.net:2000
2.tcp.eu.ngrok.io:16032
f0c8ea6d55ad279af54a02e293c5fcbd
-
reg_key
f0c8ea6d55ad279af54a02e293c5fcbd
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f0c8ea6d55ad279af54a02e293c5fcbdWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f0c8ea6d55ad279af54a02e293c5fcbdWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 672 server.exe -
Loads dropped DLL 2 IoCs
Processes:
ba36c9b8fec0735647e7984eb.exepid process 2028 ba36c9b8fec0735647e7984eb.exe 2028 ba36c9b8fec0735647e7984eb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe 672 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 672 server.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe Token: 33 672 server.exe Token: SeIncBasePriorityPrivilege 672 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ba36c9b8fec0735647e7984eb.exeserver.exedescription pid process target process PID 2028 wrote to memory of 672 2028 ba36c9b8fec0735647e7984eb.exe server.exe PID 2028 wrote to memory of 672 2028 ba36c9b8fec0735647e7984eb.exe server.exe PID 2028 wrote to memory of 672 2028 ba36c9b8fec0735647e7984eb.exe server.exe PID 2028 wrote to memory of 672 2028 ba36c9b8fec0735647e7984eb.exe server.exe PID 672 wrote to memory of 1736 672 server.exe netsh.exe PID 672 wrote to memory of 1736 672 server.exe netsh.exe PID 672 wrote to memory of 1736 672 server.exe netsh.exe PID 672 wrote to memory of 1736 672 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba36c9b8fec0735647e7984eb.exe"C:\Users\Admin\AppData\Local\Temp\ba36c9b8fec0735647e7984eb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD54d853d9c7197ee7fa81c6535b1f7d655
SHA1eac3d866e991967b385f3dd22da25e410d8f7f49
SHA2565abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96
SHA512dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
memory/2028-55-0x0000000000270000-0x00000000002B0000-memory.dmpFilesize
256KB