Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:32
Behavioral task
behavioral1
Sample
e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe
Resource
win10v2004-20220414-en
General
-
Target
e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe
-
Size
23KB
-
MD5
75af76d2a53d30d3d005ed79719b0839
-
SHA1
e811f724203ec37b0ac9906349db186a190540ba
-
SHA256
e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
-
SHA512
d512cbbe97f7a1bb6bd7744192e7b845d89544ef008cd241d22b4f69ebc9be8796388efe49a96d7d203fc994f8af8ece63f2664560a357f943db74e611c177a7
Malware Config
Extracted
njrat
0.7d
HacKed
tplinklocal.linkpc.net:1177
ac439180f0d27caad533e0a9c298c9a2
-
reg_key
ac439180f0d27caad533e0a9c298c9a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 876 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac439180f0d27caad533e0a9c298c9a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ac439180f0d27caad533e0a9c298c9a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe Token: 33 876 server.exe Token: SeIncBasePriorityPrivilege 876 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exeserver.exedescription pid process target process PID 3588 wrote to memory of 876 3588 e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe server.exe PID 3588 wrote to memory of 876 3588 e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe server.exe PID 3588 wrote to memory of 876 3588 e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe server.exe PID 876 wrote to memory of 4492 876 server.exe netsh.exe PID 876 wrote to memory of 4492 876 server.exe netsh.exe PID 876 wrote to memory of 4492 876 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe"C:\Users\Admin\AppData\Local\Temp\e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD575af76d2a53d30d3d005ed79719b0839
SHA1e811f724203ec37b0ac9906349db186a190540ba
SHA256e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
SHA512d512cbbe97f7a1bb6bd7744192e7b845d89544ef008cd241d22b4f69ebc9be8796388efe49a96d7d203fc994f8af8ece63f2664560a357f943db74e611c177a7
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD575af76d2a53d30d3d005ed79719b0839
SHA1e811f724203ec37b0ac9906349db186a190540ba
SHA256e58d01ecd88c6acb84893e0a4ecbc823cc3715770d22e1e761f9c5ec9b44d5b1
SHA512d512cbbe97f7a1bb6bd7744192e7b845d89544ef008cd241d22b4f69ebc9be8796388efe49a96d7d203fc994f8af8ece63f2664560a357f943db74e611c177a7
-
memory/876-131-0x0000000000000000-mapping.dmp
-
memory/876-134-0x0000000075130000-0x00000000756E1000-memory.dmpFilesize
5.7MB
-
memory/3588-130-0x0000000075130000-0x00000000756E1000-memory.dmpFilesize
5.7MB
-
memory/4492-135-0x0000000000000000-mapping.dmp