Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:34
Behavioral task
behavioral1
Sample
94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe
Resource
win10v2004-20220414-en
General
-
Target
94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe
-
Size
31KB
-
MD5
9d133a0834ae64b62ee98388ea870a02
-
SHA1
0d9bcb4560c22e36d304ca23c1b2bff757dd4ee0
-
SHA256
94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae
-
SHA512
5e95130a3b7f2de70a346b87dcca04a21b800efe5c2bb570b7affc61acd8009e363ba328354ff17fa48807fb739610bf79cea0cdd3e770dc90da64b3b3c2a3b8
Malware Config
Extracted
njrat
0.7d
username
helpmepls123.ddns.net:6522
997fb9a584520c7d72161d82bec2816f
-
reg_key
997fb9a584520c7d72161d82bec2816f
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
drivermvi.exepid process 3188 drivermvi.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe -
Drops startup file 2 IoCs
Processes:
drivermvi.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\997fb9a584520c7d72161d82bec2816f.exe drivermvi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\997fb9a584520c7d72161d82bec2816f.exe drivermvi.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
drivermvi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\997fb9a584520c7d72161d82bec2816f = "\"C:\\Users\\Admin\\AppData\\Roaming\\drivermvi.exe\" .." drivermvi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\997fb9a584520c7d72161d82bec2816f = "\"C:\\Users\\Admin\\AppData\\Roaming\\drivermvi.exe\" .." drivermvi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
drivermvi.exedescription pid process Token: SeDebugPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe Token: 33 3188 drivermvi.exe Token: SeIncBasePriorityPrivilege 3188 drivermvi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exedrivermvi.exedescription pid process target process PID 1620 wrote to memory of 3188 1620 94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe drivermvi.exe PID 1620 wrote to memory of 3188 1620 94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe drivermvi.exe PID 1620 wrote to memory of 3188 1620 94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe drivermvi.exe PID 3188 wrote to memory of 3056 3188 drivermvi.exe netsh.exe PID 3188 wrote to memory of 3056 3188 drivermvi.exe netsh.exe PID 3188 wrote to memory of 3056 3188 drivermvi.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe"C:\Users\Admin\AppData\Local\Temp\94ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\drivermvi.exe"C:\Users\Admin\AppData\Roaming\drivermvi.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\drivermvi.exe" "drivermvi.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\drivermvi.exeFilesize
31KB
MD59d133a0834ae64b62ee98388ea870a02
SHA10d9bcb4560c22e36d304ca23c1b2bff757dd4ee0
SHA25694ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae
SHA5125e95130a3b7f2de70a346b87dcca04a21b800efe5c2bb570b7affc61acd8009e363ba328354ff17fa48807fb739610bf79cea0cdd3e770dc90da64b3b3c2a3b8
-
C:\Users\Admin\AppData\Roaming\drivermvi.exeFilesize
31KB
MD59d133a0834ae64b62ee98388ea870a02
SHA10d9bcb4560c22e36d304ca23c1b2bff757dd4ee0
SHA25694ddab9bf418a816979e7e1ad9dc43c71c00923c5f8f1ff80523e90f6c6947ae
SHA5125e95130a3b7f2de70a346b87dcca04a21b800efe5c2bb570b7affc61acd8009e363ba328354ff17fa48807fb739610bf79cea0cdd3e770dc90da64b3b3c2a3b8
-
memory/1620-130-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/3056-135-0x0000000000000000-mapping.dmp
-
memory/3188-131-0x0000000000000000-mapping.dmp
-
memory/3188-134-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB