Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:16
Behavioral task
behavioral1
Sample
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe
Resource
win7-20220414-en
General
-
Target
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe
-
Size
23KB
-
MD5
0ce5a45b067dc03a754bb4b6c602eb89
-
SHA1
2a62a801e458589825060bd2553291b6696baca3
-
SHA256
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
-
SHA512
fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
d5d39712f604de76fd6f37ea70887795
-
reg_key
d5d39712f604de76fd6f37ea70887795
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Checkcheats.exepid process 4624 Checkcheats.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Checkcheats.exedescription pid process Token: SeDebugPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe Token: 33 4624 Checkcheats.exe Token: SeIncBasePriorityPrivilege 4624 Checkcheats.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exeCheckcheats.exedescription pid process target process PID 2344 wrote to memory of 4624 2344 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 2344 wrote to memory of 4624 2344 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 2344 wrote to memory of 4624 2344 6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe Checkcheats.exe PID 4624 wrote to memory of 1408 4624 Checkcheats.exe netsh.exe PID 4624 wrote to memory of 1408 4624 Checkcheats.exe netsh.exe PID 4624 wrote to memory of 1408 4624 Checkcheats.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe"C:\Users\Admin\AppData\Local\Temp\6a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Checkcheats.exe"C:\Users\Admin\AppData\Local\Temp\Checkcheats.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Checkcheats.exe" "Checkcheats.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Checkcheats.exeFilesize
23KB
MD50ce5a45b067dc03a754bb4b6c602eb89
SHA12a62a801e458589825060bd2553291b6696baca3
SHA2566a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
SHA512fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
-
C:\Users\Admin\AppData\Local\Temp\Checkcheats.exeFilesize
23KB
MD50ce5a45b067dc03a754bb4b6c602eb89
SHA12a62a801e458589825060bd2553291b6696baca3
SHA2566a5cc3ae2bf1d36f6cec374f08b03644f08325ab479d1cb6c1d70e55729d0151
SHA512fbf79df660446362e4fdc0c14d1b4f2087bae7259f582726b59796bc005f371ce8c2cbbf96364303c13583a53bb970062f8ec7c23f967c01cc8c53343715eee4
-
memory/1408-135-0x0000000000000000-mapping.dmp
-
memory/2344-130-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4624-131-0x0000000000000000-mapping.dmp
-
memory/4624-134-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB