Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 07:34
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240412-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
de43783b8b13388eb629c7675983def1
-
SHA1
9d8285f25c0e8d2a16fae6cba5d5dfbcf2c1d1f7
-
SHA256
0837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290
-
SHA512
1052d7f2a2efb7543b970278f11e0b71410386fb7f8b1322ec14ec5681caf114e4f5ef2e30e1d3975207406559595a51d0e3c496de35a9bef6a3b58a6ca32a43
-
SSDEEP
384:SgzZxj6ic7ri5Z7JAyk/Y4IvDfZeKQVerAF+rMRTyN/0L+EcoinblneHQM3epzXl:RznHJ7k/Y4IDZbQorM+rMRa8NuTht
Malware Config
Extracted
njrat
im523
HacKed
require-spa.gl.at.ply.gg:29750
22a96a36e708412bc80ea4f11f20f4c1
-
reg_key
22a96a36e708412bc80ea4f11f20f4c1
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2692 netsh.exe 2036 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3008 server.exe -
Loads dropped DLL 1 IoCs
Processes:
Server.exepid process 2088 Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3008 server.exe Token: 33 3008 server.exe Token: SeIncBasePriorityPrivilege 3008 server.exe Token: 33 3008 server.exe Token: SeIncBasePriorityPrivilege 3008 server.exe Token: 33 3008 server.exe Token: SeIncBasePriorityPrivilege 3008 server.exe Token: 33 3008 server.exe Token: SeIncBasePriorityPrivilege 3008 server.exe Token: 33 3008 server.exe Token: SeIncBasePriorityPrivilege 3008 server.exe Token: 33 3008 server.exe Token: SeIncBasePriorityPrivilege 3008 server.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Server.exeserver.execmd.exedescription pid process target process PID 2088 wrote to memory of 3008 2088 Server.exe server.exe PID 2088 wrote to memory of 3008 2088 Server.exe server.exe PID 2088 wrote to memory of 3008 2088 Server.exe server.exe PID 2088 wrote to memory of 3008 2088 Server.exe server.exe PID 3008 wrote to memory of 2692 3008 server.exe netsh.exe PID 3008 wrote to memory of 2692 3008 server.exe netsh.exe PID 3008 wrote to memory of 2692 3008 server.exe netsh.exe PID 3008 wrote to memory of 2692 3008 server.exe netsh.exe PID 3008 wrote to memory of 2036 3008 server.exe netsh.exe PID 3008 wrote to memory of 2036 3008 server.exe netsh.exe PID 3008 wrote to memory of 2036 3008 server.exe netsh.exe PID 3008 wrote to memory of 2036 3008 server.exe netsh.exe PID 3008 wrote to memory of 1320 3008 server.exe cmd.exe PID 3008 wrote to memory of 1320 3008 server.exe cmd.exe PID 3008 wrote to memory of 1320 3008 server.exe cmd.exe PID 3008 wrote to memory of 1320 3008 server.exe cmd.exe PID 1320 wrote to memory of 1844 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1844 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1844 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1844 1320 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Roaming\server.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 04⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD5de43783b8b13388eb629c7675983def1
SHA19d8285f25c0e8d2a16fae6cba5d5dfbcf2c1d1f7
SHA2560837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290
SHA5121052d7f2a2efb7543b970278f11e0b71410386fb7f8b1322ec14ec5681caf114e4f5ef2e30e1d3975207406559595a51d0e3c496de35a9bef6a3b58a6ca32a43
-
memory/2088-0-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2088-1-0x0000000002440000-0x0000000002480000-memory.dmpFilesize
256KB
-
memory/2088-2-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2088-10-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/3008-11-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/3008-12-0x0000000001F40000-0x0000000001F80000-memory.dmpFilesize
256KB
-
memory/3008-13-0x0000000001F40000-0x0000000001F80000-memory.dmpFilesize
256KB
-
memory/3008-14-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/3008-15-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB