Analysis
-
max time kernel
161s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:43
Behavioral task
behavioral1
Sample
b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe
Resource
win10v2004-20220414-en
General
-
Target
b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe
-
Size
23KB
-
MD5
54aaf1fc91baedb708e3b7206bce1142
-
SHA1
b1b0f90031a8a23637053cf7c0629764a1d20113
-
SHA256
b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589
-
SHA512
f705ca7cd5ae5c68c1b54ed3897b0e2d4d0bc8ea8c5742d50a129f6c756c91498066f76c96d3cef632c3e8825b05f2ab4a303c4da36a7460d5df6077afe70f9a
Malware Config
Extracted
njrat
0.7d
ytb
170.78.228.248:1177
df5733cef342467c069491e91efa63c5
-
reg_key
df5733cef342467c069491e91efa63c5
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
crss.exepid process 3004 crss.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe -
Drops startup file 2 IoCs
Processes:
crss.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df5733cef342467c069491e91efa63c5.exe crss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df5733cef342467c069491e91efa63c5.exe crss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
crss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\df5733cef342467c069491e91efa63c5 = "\"C:\\Users\\Admin\\crss.exe\" .." crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\df5733cef342467c069491e91efa63c5 = "\"C:\\Users\\Admin\\crss.exe\" .." crss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
crss.exedescription pid process Token: SeDebugPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe Token: 33 3004 crss.exe Token: SeIncBasePriorityPrivilege 3004 crss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.execrss.exedescription pid process target process PID 3560 wrote to memory of 3004 3560 b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe crss.exe PID 3560 wrote to memory of 3004 3560 b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe crss.exe PID 3560 wrote to memory of 3004 3560 b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe crss.exe PID 3004 wrote to memory of 4480 3004 crss.exe netsh.exe PID 3004 wrote to memory of 4480 3004 crss.exe netsh.exe PID 3004 wrote to memory of 4480 3004 crss.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe"C:\Users\Admin\AppData\Local\Temp\b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\crss.exe"C:\Users\Admin\crss.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\crss.exe" "crss.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\crss.exeFilesize
23KB
MD554aaf1fc91baedb708e3b7206bce1142
SHA1b1b0f90031a8a23637053cf7c0629764a1d20113
SHA256b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589
SHA512f705ca7cd5ae5c68c1b54ed3897b0e2d4d0bc8ea8c5742d50a129f6c756c91498066f76c96d3cef632c3e8825b05f2ab4a303c4da36a7460d5df6077afe70f9a
-
C:\Users\Admin\crss.exeFilesize
23KB
MD554aaf1fc91baedb708e3b7206bce1142
SHA1b1b0f90031a8a23637053cf7c0629764a1d20113
SHA256b4b2eacff6bc86a3dfb035f67050dc53574fb10dda364c7f5c3258f4f2dff589
SHA512f705ca7cd5ae5c68c1b54ed3897b0e2d4d0bc8ea8c5742d50a129f6c756c91498066f76c96d3cef632c3e8825b05f2ab4a303c4da36a7460d5df6077afe70f9a
-
memory/3004-131-0x0000000000000000-mapping.dmp
-
memory/3004-134-0x0000000074C20000-0x00000000751D1000-memory.dmpFilesize
5.7MB
-
memory/3560-130-0x0000000074C20000-0x00000000751D1000-memory.dmpFilesize
5.7MB
-
memory/4480-135-0x0000000000000000-mapping.dmp