Analysis
-
max time kernel
151s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:41
Static task
static1
Behavioral task
behavioral1
Sample
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe
Resource
win10v2004-20220414-en
General
-
Target
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe
-
Size
705KB
-
MD5
a417bd210ba1cac6f5583a46f717c927
-
SHA1
ff6ea4714d231b8762203740b6e1142a56fae458
-
SHA256
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8
-
SHA512
b95085a8d5739d5cc22de84b8319cbf4d9f4aa0c2397a403e27e493be80a857f27ebeba61f856b90f55dbb938c94c2443171c5b4d7d2ec1d0817cfea7fd9f924
Malware Config
Extracted
njrat
0.7d
MyBot
127.0.0.1:6522
f4dd36e85bd93926452630eb2bb82274
-
reg_key
f4dd36e85bd93926452630eb2bb82274
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NEVIRUS.exepid process 3464 NEVIRUS.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe -
Drops startup file 2 IoCs
Processes:
NEVIRUS.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f4dd36e85bd93926452630eb2bb82274.exe NEVIRUS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f4dd36e85bd93926452630eb2bb82274.exe NEVIRUS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NEVIRUS.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4dd36e85bd93926452630eb2bb82274 = "\"C:\\Program Files (x86)\\NEVIRUS.exe\" .." NEVIRUS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f4dd36e85bd93926452630eb2bb82274 = "\"C:\\Program Files (x86)\\NEVIRUS.exe\" .." NEVIRUS.exe -
Drops file in Program Files directory 5 IoCs
Processes:
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exedescription ioc process File opened for modification C:\Program Files (x86)\NEVIRUS.exe 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe File created C:\Program Files (x86)\KjFulNKqG6o.jpg 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe File opened for modification C:\Program Files (x86)\KjFulNKqG6o.jpg 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe File created C:\Program Files (x86)\__tmp_rar_sfx_access_check_240550609 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe File created C:\Program Files (x86)\NEVIRUS.exe 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
NEVIRUS.exepid process 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe 3464 NEVIRUS.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
NEVIRUS.exedescription pid process Token: SeDebugPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe Token: 33 3464 NEVIRUS.exe Token: SeIncBasePriorityPrivilege 3464 NEVIRUS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exeNEVIRUS.exedescription pid process target process PID 3792 wrote to memory of 3464 3792 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe NEVIRUS.exe PID 3792 wrote to memory of 3464 3792 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe NEVIRUS.exe PID 3792 wrote to memory of 3464 3792 94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe NEVIRUS.exe PID 3464 wrote to memory of 3336 3464 NEVIRUS.exe netsh.exe PID 3464 wrote to memory of 3336 3464 NEVIRUS.exe netsh.exe PID 3464 wrote to memory of 3336 3464 NEVIRUS.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe"C:\Users\Admin\AppData\Local\Temp\94da1350b6e8e3e7fbab0df965d5d29c24e7029746d5908c1d0778b5d65ef1e8.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\NEVIRUS.exe"C:\Program Files (x86)\NEVIRUS.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Program Files (x86)\NEVIRUS.exe" "NEVIRUS.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\NEVIRUS.exeFilesize
31KB
MD5144efeb05ca1f60c53f5947726c2572c
SHA1d4e5df9e1bf4f7530440c1bfc4d1e6e56ebd4602
SHA2566ed69977621fd1a4d7a9cc13a5f4ef0bb6ea88b7d48ea0a7152b20f886cedb8e
SHA512feaaa6998c784186c6f08c84923a22e9ee56424bd7edeb24551a293a5c11a9e2f86b95c2030f21bcf325335181ee77efca66565ae5ef193832e6190bcd7b9b59
-
C:\Program Files (x86)\NEVIRUS.exeFilesize
31KB
MD5144efeb05ca1f60c53f5947726c2572c
SHA1d4e5df9e1bf4f7530440c1bfc4d1e6e56ebd4602
SHA2566ed69977621fd1a4d7a9cc13a5f4ef0bb6ea88b7d48ea0a7152b20f886cedb8e
SHA512feaaa6998c784186c6f08c84923a22e9ee56424bd7edeb24551a293a5c11a9e2f86b95c2030f21bcf325335181ee77efca66565ae5ef193832e6190bcd7b9b59
-
memory/3336-134-0x0000000000000000-mapping.dmp
-
memory/3464-130-0x0000000000000000-mapping.dmp
-
memory/3464-133-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB