Analysis
-
max time kernel
125s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-03-2022 22:23
Static task
static1
Behavioral task
behavioral1
Sample
ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
Resource
win7-20220311-en
General
-
Target
ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
-
Size
229KB
-
MD5
7d276dfb51b873aa1fa8d512a961b8e7
-
SHA1
0070198c1e94602fdc435a5933990861e9d7836c
-
SHA256
ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
-
SHA512
11f360bbe72a90c9364fb4f9d8d8659bb82d18745077cb85b08b158bbdabc05735f0b38a4710c42759d2bca23cbbebd0e77159228f8754ac7553ef1ccc05327e
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
urbanhuman123.duckdns.org:3131
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1384 Tempwinlogon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exewscript.exeTempwinlogon.exefondue.exedescription pid process target process PID 3096 wrote to memory of 5112 3096 ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe wscript.exe PID 3096 wrote to memory of 5112 3096 ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe wscript.exe PID 5112 wrote to memory of 1384 5112 wscript.exe Tempwinlogon.exe PID 5112 wrote to memory of 1384 5112 wscript.exe Tempwinlogon.exe PID 5112 wrote to memory of 1384 5112 wscript.exe Tempwinlogon.exe PID 1384 wrote to memory of 3496 1384 Tempwinlogon.exe fondue.exe PID 1384 wrote to memory of 3496 1384 Tempwinlogon.exe fondue.exe PID 1384 wrote to memory of 3496 1384 Tempwinlogon.exe fondue.exe PID 3496 wrote to memory of 2556 3496 fondue.exe FonDUE.EXE PID 3496 wrote to memory of 2556 3496 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe"C:\Users\Admin\AppData\Local\Temp\ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9160.tmp\9161.tmp\9162.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9160.tmp\9161.tmp\9162.vbsFilesize
175KB
MD5f9a5ce69bedccc0300a55805c53d5298
SHA1667b32641419b4d11deb03601fd6ac460fa61b70
SHA256e3dff2b35df20d4cc148d246bd9cef6848e37e768f55156de4e5eb40f82a9cab
SHA512530c86fee6cba3f4e3b390c8bed345dd11f2c1f10c5d51ed7de16bc90f90d85f887f99c8a6623ffd9e0c78fca38052994e7bbe2b068422c846228888ffbcd78b
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
43KB
MD501cd1273407dc0ac4979fcb85fd7c1b2
SHA12c6e2a2ffbe0c98cf378396f41059fb8f40afbed
SHA25680e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc
SHA512b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
43KB
MD501cd1273407dc0ac4979fcb85fd7c1b2
SHA12c6e2a2ffbe0c98cf378396f41059fb8f40afbed
SHA25680e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc
SHA512b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640
-
memory/1384-135-0x0000000000000000-mapping.dmp
-
memory/2556-139-0x0000000000000000-mapping.dmp
-
memory/3496-138-0x0000000000000000-mapping.dmp
-
memory/5112-133-0x0000000000000000-mapping.dmp