Analysis
-
max time kernel
155s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:54
Behavioral task
behavioral1
Sample
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe
Resource
win7-20220414-en
General
-
Target
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe
-
Size
37KB
-
MD5
a85447229532856b5447ddcadf0d99b9
-
SHA1
c24b5c23db289cdddbcde67111b1264928a1be2c
-
SHA256
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
-
SHA512
824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
Malware Config
Extracted
njrat
im523
HacKed
svalkabomja333.hopto.org:1978
ebdf784e4c631a8b558a06107e351925
-
reg_key
ebdf784e4c631a8b558a06107e351925
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 4860 java.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
java.exedescription pid process Token: SeDebugPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe Token: 33 4860 java.exe Token: SeIncBasePriorityPrivilege 4860 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exejava.exedescription pid process target process PID 3704 wrote to memory of 4860 3704 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 3704 wrote to memory of 4860 3704 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 3704 wrote to memory of 4860 3704 2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe java.exe PID 4860 wrote to memory of 3868 4860 java.exe netsh.exe PID 4860 wrote to memory of 3868 4860 java.exe netsh.exe PID 4860 wrote to memory of 3868 4860 java.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe"C:\Users\Admin\AppData\Local\Temp\2c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\java.exe" "java.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\java.exeFilesize
37KB
MD5a85447229532856b5447ddcadf0d99b9
SHA1c24b5c23db289cdddbcde67111b1264928a1be2c
SHA2562c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
SHA512824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
-
C:\Users\Admin\AppData\Local\Temp\java.exeFilesize
37KB
MD5a85447229532856b5447ddcadf0d99b9
SHA1c24b5c23db289cdddbcde67111b1264928a1be2c
SHA2562c99e49bee02b3833e3261074d7bea04f693b96d3598a1792a0e40640bd61300
SHA512824b3dcf0e76dd77d0b76602a98d227275861e5505b5bac6d4128d43209d424d87ad484b1058b14dc9fb0d657c0f74190c0ae60e544188e38e58a394308e652d
-
memory/3704-130-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/3868-135-0x0000000000000000-mapping.dmp
-
memory/4860-131-0x0000000000000000-mapping.dmp
-
memory/4860-134-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB