Analysis
-
max time kernel
111s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-03-2022 17:49
Static task
static1
Behavioral task
behavioral1
Sample
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
Resource
win10v2004-en-20220112
General
-
Target
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
-
Size
3.2MB
-
MD5
e33258409be6c2628cd2367ce1263386
-
SHA1
286a63a65463122c70eb82dadeb3ecca10aa68bc
-
SHA256
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732
-
SHA512
0a10f5c4421af38785bd8fe672914574994525cfbc489e50c99c6242fead6c2720de4bc105e72db0793565f9b3ce667b28f69c890ae439dad68fab4ee161d5be
Malware Config
Extracted
njrat
im523
hacker
0.tcp.ngrok.io:18133
707b4c9b457e788982fbb6845d3f32eb
-
reg_key
707b4c9b457e788982fbb6845d3f32eb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
CDS.execrypted.exepid process 3396 CDS.exe 3248 crypted.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CDS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation CDS.exe -
Loads dropped DLL 1 IoCs
Processes:
CDS.exepid process 3396 CDS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 3396 CDS.exe 3396 CDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 2028 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2028 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 3396 CDS.exe 3396 CDS.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exeCDS.execrypted.exefondue.exedescription pid process target process PID 3152 wrote to memory of 3396 3152 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 3152 wrote to memory of 3396 3152 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 3152 wrote to memory of 3396 3152 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 3396 wrote to memory of 3248 3396 CDS.exe crypted.exe PID 3396 wrote to memory of 3248 3396 CDS.exe crypted.exe PID 3396 wrote to memory of 3248 3396 CDS.exe crypted.exe PID 3248 wrote to memory of 3108 3248 crypted.exe fondue.exe PID 3248 wrote to memory of 3108 3248 crypted.exe fondue.exe PID 3248 wrote to memory of 3108 3248 crypted.exe fondue.exe PID 3108 wrote to memory of 2544 3108 fondue.exe FonDUE.EXE PID 3108 wrote to memory of 2544 3108 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe"C:\Users\Admin\AppData\Local\Temp\a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e0 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngMD5
340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddMD5
3e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datMD5
d7ab528ef810ec5fd2d679e09bbd20ba
SHA1cd690dbe2bf409c709947626ed85ec87528e01e5
SHA2560781188943a85229f4f8a692f43bdf556c65a8e47496647e9f9bc526c1c55e2d
SHA512446890826462a064e52444819f5696a0d7226d82770c4c0f509e10cfe02f8a1d50bf8f1b79ca9a56e569d64f7222e1a1560d84c9f831698ddfdb19f7833914dd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsMD5
68934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllMD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllMD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25