Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-04-2022 02:09
Static task
static1
Behavioral task
behavioral1
Sample
a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
Resource
win10v2004-en-20220113
General
-
Target
a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
-
Size
3.2MB
-
MD5
763831ebb67edc0547d2caf7c7b999b8
-
SHA1
c7af5d05e46416cc2a0c33c8b09eb872c7b70a91
-
SHA256
a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb
-
SHA512
25004abb59bd61d8991d435d0428269f40b9afb21c9da1e658b83eb79c34f9e246fa2ef45573d05997839f37a15d470ff8e177e9bcc1166562310ced7199495a
Malware Config
Extracted
njrat
im523
q
ratchomli.hopto.org:3632
631447834c0607d77dbc354603149bca
-
reg_key
631447834c0607d77dbc354603149bca
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
CDS.execrypted.exepid process 3672 CDS.exe 3148 crypted.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CDS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation CDS.exe -
Loads dropped DLL 1 IoCs
Processes:
CDS.exepid process 3672 CDS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 3672 CDS.exe 3672 CDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 4180 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4180 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 3672 CDS.exe 3672 CDS.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exeCDS.execrypted.exefondue.exedescription pid process target process PID 4424 wrote to memory of 3672 4424 a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe CDS.exe PID 4424 wrote to memory of 3672 4424 a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe CDS.exe PID 4424 wrote to memory of 3672 4424 a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe CDS.exe PID 3672 wrote to memory of 3148 3672 CDS.exe crypted.exe PID 3672 wrote to memory of 3148 3672 CDS.exe crypted.exe PID 3672 wrote to memory of 3148 3672 CDS.exe crypted.exe PID 3148 wrote to memory of 1412 3148 crypted.exe fondue.exe PID 3148 wrote to memory of 1412 3148 crypted.exe fondue.exe PID 3148 wrote to memory of 1412 3148 crypted.exe fondue.exe PID 1412 wrote to memory of 1808 1412 fondue.exe FonDUE.EXE PID 1412 wrote to memory of 1808 1412 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe"C:\Users\Admin\AppData\Local\Temp\a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2c4 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngFilesize
2KB
MD5340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddFilesize
13KB
MD53e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datFilesize
103KB
MD5ec19695b37f684b23026fe14877480b7
SHA1a1d47b2549d6b4dd0b0916f9e5d3a59fd1e840c0
SHA256c17ff2eb8d083b4301023a4b9daf3277a60572a2b704de21203e2e66ea729f1c
SHA512ec565ff65149c9c7d2143b329d3993ff73bb03302160d31472e178516528fb3e60c9165197c53dbbfa5e05d17266be4774f606397838b07718f05097b64573fe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
103KB
MD52d4c6ed25a730ff2bcafa5be70f5b125
SHA1aa6bee72499f3b82cd119ad28347932e331cb713
SHA256b4973c0f8c47b08dc82de8f13cdb920e1f535433c3d0e1f87a0f3bc47e9f30d1
SHA512f4c6d25c827f13955cc86890bc791d2ec0f3ae29590c04954f7dd89556143bd6399b02aae0a4b5f225d4022920d568fd73329ee2087afbf081716b4abecb1d7f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
103KB
MD52d4c6ed25a730ff2bcafa5be70f5b125
SHA1aa6bee72499f3b82cd119ad28347932e331cb713
SHA256b4973c0f8c47b08dc82de8f13cdb920e1f535433c3d0e1f87a0f3bc47e9f30d1
SHA512f4c6d25c827f13955cc86890bc791d2ec0f3ae29590c04954f7dd89556143bd6399b02aae0a4b5f225d4022920d568fd73329ee2087afbf081716b4abecb1d7f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsFilesize
5B
MD568934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
memory/1412-142-0x0000000000000000-mapping.dmp
-
memory/1808-143-0x0000000000000000-mapping.dmp
-
memory/3148-139-0x0000000000000000-mapping.dmp
-
memory/3672-130-0x0000000000000000-mapping.dmp