Analysis
-
max time kernel
77s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-03-2022 17:49
Static task
static1
Behavioral task
behavioral1
Sample
0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe
Resource
win10v2004-en-20220112
General
-
Target
0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe
-
Size
3.2MB
-
MD5
100835701cd37eafe7a392c1cb763aa7
-
SHA1
259cb1897e33a8eb375ee62c41ac2db6258fecaf
-
SHA256
0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d
-
SHA512
20fa48d0b7110546a5c92b7b9a7916d26255751f4deff4ea4ebd22324ea984beecdf38bb52959b7b9cec18709fc496497559814cd134efe266b7ec87bf66ad93
Malware Config
Extracted
njrat
im523
system
194.34.132.153:60000
6a0dcc32043c04d913e24c92c2a3a7bd
-
reg_key
6a0dcc32043c04d913e24c92c2a3a7bd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
CDS.execrypted.exepid process 3376 CDS.exe 1876 crypted.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CDS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation CDS.exe -
Loads dropped DLL 1 IoCs
Processes:
CDS.exepid process 3376 CDS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 3376 CDS.exe 3376 CDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 3412 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3412 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 3376 CDS.exe 3376 CDS.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exeCDS.execrypted.exefondue.exedescription pid process target process PID 3864 wrote to memory of 3376 3864 0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe CDS.exe PID 3864 wrote to memory of 3376 3864 0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe CDS.exe PID 3864 wrote to memory of 3376 3864 0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe CDS.exe PID 3376 wrote to memory of 1876 3376 CDS.exe crypted.exe PID 3376 wrote to memory of 1876 3376 CDS.exe crypted.exe PID 3376 wrote to memory of 1876 3376 CDS.exe crypted.exe PID 1876 wrote to memory of 3528 1876 crypted.exe fondue.exe PID 1876 wrote to memory of 3528 1876 crypted.exe fondue.exe PID 1876 wrote to memory of 3528 1876 crypted.exe fondue.exe PID 3528 wrote to memory of 220 3528 fondue.exe FonDUE.EXE PID 3528 wrote to memory of 220 3528 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe"C:\Users\Admin\AppData\Local\Temp\0294f3fa4055709e21e007755062602c3d70b3a4955e6a26ae93fb51b1f4fb4d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngMD5
340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddMD5
3e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datMD5
24b732ef5492b260afed1a1e66414e7c
SHA156309a18b32df04d571ea947eb24972e0a0bc537
SHA2568d6104307f2adacafd7fab705b53d6595be33e957c01e58e1b04691c4c2c3beb
SHA5120ce544b3a146ef11f1bcaa531358501eb2821bd8e0678e383c35f941a3f8ccfa782491bede283eee2d86952c84db1c2ca520f6daf7a780d3028028e37a7659c3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
247b6bae473094dd32d608c46238fdc4
SHA10a2d0dd0812ab6012514568cda3269340a0925d2
SHA25630d15b5543311e9a3d85bac30b8785bd50526dc82c7e46e2ef6382aa54f79877
SHA512e2d8799aef2466f34e1ebd27abe4b2679a01dff612304930f06e8f035036fedd399d562fd4caa1c91bdebc07f8a11af4b4efed751d37050791dddc691d55c291
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
247b6bae473094dd32d608c46238fdc4
SHA10a2d0dd0812ab6012514568cda3269340a0925d2
SHA25630d15b5543311e9a3d85bac30b8785bd50526dc82c7e46e2ef6382aa54f79877
SHA512e2d8799aef2466f34e1ebd27abe4b2679a01dff612304930f06e8f035036fedd399d562fd4caa1c91bdebc07f8a11af4b4efed751d37050791dddc691d55c291
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsMD5
68934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllMD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllMD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25