Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:32
Static task
static1
Behavioral task
behavioral1
Sample
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe
Resource
win10v2004-20220414-en
General
-
Target
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe
-
Size
37KB
-
MD5
2333a7b5b03e3fa1bd77b635e0a7f0df
-
SHA1
984a1120d48af498288e8ef09f49d8989e0d1aff
-
SHA256
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
-
SHA512
504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
Malware Config
Extracted
njrat
im523
хороший_чит227
127.0.0.1:5552
345d8bf41e0048532905f37e4f8e9889
-
reg_key
345d8bf41e0048532905f37e4f8e9889
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
РґРґ.exepid process 3040 РґРґ.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe -
Drops startup file 2 IoCs
Processes:
РґРґ.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\345d8bf41e0048532905f37e4f8e9889.exe РґРґ.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\345d8bf41e0048532905f37e4f8e9889.exe РґРґ.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
РґРґ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\345d8bf41e0048532905f37e4f8e9889 = "\"C:\\Users\\Admin\\AppData\\Roaming\\РґРґ.exe\" .." РґРґ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\345d8bf41e0048532905f37e4f8e9889 = "\"C:\\Users\\Admin\\AppData\\Roaming\\РґРґ.exe\" .." РґРґ.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
РґРґ.exedescription pid process Token: SeDebugPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe Token: 33 3040 РґРґ.exe Token: SeIncBasePriorityPrivilege 3040 РґРґ.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exeРґРґ.exedescription pid process target process PID 3784 wrote to memory of 3040 3784 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 3784 wrote to memory of 3040 3784 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 3784 wrote to memory of 3040 3784 c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe РґРґ.exe PID 3040 wrote to memory of 4340 3040 РґРґ.exe netsh.exe PID 3040 wrote to memory of 4340 3040 РґРґ.exe netsh.exe PID 3040 wrote to memory of 4340 3040 РґРґ.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe"C:\Users\Admin\AppData\Local\Temp\c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\РґРґ.exe"C:\Users\Admin\AppData\Roaming\РґРґ.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\РґРґ.exe" "РґРґ.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\РґРґ.exeFilesize
37KB
MD52333a7b5b03e3fa1bd77b635e0a7f0df
SHA1984a1120d48af498288e8ef09f49d8989e0d1aff
SHA256c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
SHA512504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
-
C:\Users\Admin\AppData\Roaming\РґРґ.exeFilesize
37KB
MD52333a7b5b03e3fa1bd77b635e0a7f0df
SHA1984a1120d48af498288e8ef09f49d8989e0d1aff
SHA256c522d9973750b509bea999d0854cd21bfbf854aef3c6e2bfcb041c61f22c42d1
SHA512504063f2913ba7b1ff8dd5a0eee97f421857e1218280e59a64dc707c7e9a6ac290a58c45fcbe05ff38172e037a0994043d979f403d506273c14f86cb895a59c1
-
memory/3040-131-0x0000000000000000-mapping.dmp
-
memory/3040-134-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/3784-130-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4340-135-0x0000000000000000-mapping.dmp