Analysis
-
max time kernel
152s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-04-2022 12:40
Behavioral task
behavioral1
Sample
6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe
Resource
win7-20220414-en
General
-
Target
6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe
-
Size
93KB
-
MD5
c9dd2cbc4594e47a4760157ab894bd52
-
SHA1
d48c7b811eb73c5f921fe870fe3ff6b4f75b9a9e
-
SHA256
6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196
-
SHA512
99bcb76a5b90aeaf15ed330b7b0c8ff5ffcc65029fcba69f4c8f9f4a2db9223f98819b3661c09641097f626f7ef801267a9a829484d731b19eafd7a1faa12a07
Malware Config
Extracted
njrat
0.7d
hacker
FRANSESCOTI3LjAuFRANSESCOC4x:MTYwNA==
dfd6ed83b13338db2ca4f209d9a7474f
-
reg_key
dfd6ed83b13338db2ca4f209d9a7474f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1252 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfd6ed83b13338db2ca4f209d9a7474fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfd6ed83b13338db2ca4f209d9a7474fWindows Update.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe 1252 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1252 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe Token: 33 1252 server.exe Token: SeIncBasePriorityPrivilege 1252 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exeserver.exedescription pid process target process PID 4956 wrote to memory of 1252 4956 6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe server.exe PID 4956 wrote to memory of 1252 4956 6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe server.exe PID 4956 wrote to memory of 1252 4956 6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe server.exe PID 1252 wrote to memory of 3060 1252 server.exe netsh.exe PID 1252 wrote to memory of 3060 1252 server.exe netsh.exe PID 1252 wrote to memory of 3060 1252 server.exe netsh.exe PID 1252 wrote to memory of 4416 1252 server.exe netsh.exe PID 1252 wrote to memory of 4416 1252 server.exe netsh.exe PID 1252 wrote to memory of 4416 1252 server.exe netsh.exe PID 1252 wrote to memory of 4632 1252 server.exe netsh.exe PID 1252 wrote to memory of 4632 1252 server.exe netsh.exe PID 1252 wrote to memory of 4632 1252 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe"C:\Users\Admin\AppData\Local\Temp\6778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD52099bb64fd1770d321df364f99b658d1
SHA13124edeaa14c060becfa8b980ed77db15d56a9e3
SHA256d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d
SHA5123481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5c9dd2cbc4594e47a4760157ab894bd52
SHA1d48c7b811eb73c5f921fe870fe3ff6b4f75b9a9e
SHA2566778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196
SHA51299bcb76a5b90aeaf15ed330b7b0c8ff5ffcc65029fcba69f4c8f9f4a2db9223f98819b3661c09641097f626f7ef801267a9a829484d731b19eafd7a1faa12a07
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5c9dd2cbc4594e47a4760157ab894bd52
SHA1d48c7b811eb73c5f921fe870fe3ff6b4f75b9a9e
SHA2566778bc6fb029be25f1922c082048f5222af258a183ba724b0df05225e2f2c196
SHA51299bcb76a5b90aeaf15ed330b7b0c8ff5ffcc65029fcba69f4c8f9f4a2db9223f98819b3661c09641097f626f7ef801267a9a829484d731b19eafd7a1faa12a07
-
memory/1252-131-0x0000000000000000-mapping.dmp
-
memory/1252-135-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/3060-136-0x0000000000000000-mapping.dmp
-
memory/4416-137-0x0000000000000000-mapping.dmp
-
memory/4632-138-0x0000000000000000-mapping.dmp
-
memory/4956-130-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB