Analysis
-
max time kernel
165s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:12
Behavioral task
behavioral1
Sample
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe
Resource
win7-20220414-en
General
-
Target
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe
-
Size
31KB
-
MD5
f2599c8241785a47e4a5e54628e15ee2
-
SHA1
6126a67caf537bc201f5e8d56ca83d1d6f094e9a
-
SHA256
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
-
SHA512
e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
Malware Config
Extracted
njrat
0.7d
install
2.132.107.223:6522
bd5be1175c6ff120fdbcfd0476b2cd35
-
reg_key
bd5be1175c6ff120fdbcfd0476b2cd35
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
install.exepid process 3148 install.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe -
Drops startup file 2 IoCs
Processes:
install.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd5be1175c6ff120fdbcfd0476b2cd35.exe install.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd5be1175c6ff120fdbcfd0476b2cd35.exe install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
install.exedescription pid process Token: SeDebugPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe Token: 33 3148 install.exe Token: SeIncBasePriorityPrivilege 3148 install.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exeinstall.exedescription pid process target process PID 452 wrote to memory of 3148 452 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 452 wrote to memory of 3148 452 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 452 wrote to memory of 3148 452 fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe install.exe PID 3148 wrote to memory of 1424 3148 install.exe netsh.exe PID 3148 wrote to memory of 1424 3148 install.exe netsh.exe PID 3148 wrote to memory of 1424 3148 install.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe"C:\Users\Admin\AppData\Local\Temp\fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install.exe"C:\Users\Admin\AppData\Roaming\install.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\install.exe" "install.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
31KB
MD5f2599c8241785a47e4a5e54628e15ee2
SHA16126a67caf537bc201f5e8d56ca83d1d6f094e9a
SHA256fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
SHA512e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
31KB
MD5f2599c8241785a47e4a5e54628e15ee2
SHA16126a67caf537bc201f5e8d56ca83d1d6f094e9a
SHA256fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168
SHA512e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a
-
memory/452-130-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/1424-135-0x0000000000000000-mapping.dmp
-
memory/3148-131-0x0000000000000000-mapping.dmp
-
memory/3148-134-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB