Analysis
-
max time kernel
172s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe
Resource
win10v2004-20220414-en
General
-
Target
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe
-
Size
315KB
-
MD5
e1ea40d6ef078ec64d2b20058637c247
-
SHA1
4647b7b0bd5ff4ce0ca902833ef34cf23a0ae163
-
SHA256
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176
-
SHA512
b3ad8e5366dc2be103c5737e68774022138ee3de3603c2a0071e385c8abda82a0fd44a975d3f9544e1f449750bb6d1b9af40cfdaf42285f4d05a7ea2642bcff9
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
gazik500.ddns.net:4444
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Itsg.exeDADADA.exepid process 3964 Itsg.exe 4080 DADADA.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exeItsg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Itsg.exe -
Drops startup file 2 IoCs
Processes:
DADADA.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe DADADA.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe DADADA.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DADADA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DADADA.exe\" .." DADADA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DADADA.exe\" .." DADADA.exe -
Drops file in Program Files directory 5 IoCs
Processes:
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exedescription ioc process File created C:\Program Files (x86)\__tmp_rar_sfx_access_check_240592140 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File created C:\Program Files (x86)\Itsg.exe 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File opened for modification C:\Program Files (x86)\Itsg.exe 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File created C:\Program Files (x86)\hack.png 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File opened for modification C:\Program Files (x86)\hack.png 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Itsg.exeDADADA.exepid process 3964 Itsg.exe 4080 DADADA.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
DADADA.exedescription pid process Token: SeDebugPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe Token: 33 4080 DADADA.exe Token: SeIncBasePriorityPrivilege 4080 DADADA.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exeItsg.exedescription pid process target process PID 2856 wrote to memory of 3964 2856 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 2856 wrote to memory of 3964 2856 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 2856 wrote to memory of 3964 2856 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 3964 wrote to memory of 4080 3964 Itsg.exe DADADA.exe PID 3964 wrote to memory of 4080 3964 Itsg.exe DADADA.exe PID 3964 wrote to memory of 4080 3964 Itsg.exe DADADA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe"C:\Users\Admin\AppData\Local\Temp\14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Itsg.exe"C:\Program Files (x86)\Itsg.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DADADA.exe"C:\Users\Admin\AppData\Local\Temp\DADADA.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
C:\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
C:\Users\Admin\AppData\Local\Temp\DADADA.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
C:\Users\Admin\AppData\Local\Temp\DADADA.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
memory/3964-130-0x0000000000000000-mapping.dmp
-
memory/3964-133-0x00000000008A0000-0x00000000008B2000-memory.dmpFilesize
72KB
-
memory/3964-134-0x0000000005200000-0x000000000529C000-memory.dmpFilesize
624KB
-
memory/3964-135-0x0000000005B90000-0x0000000006134000-memory.dmpFilesize
5.6MB
-
memory/3964-136-0x0000000005680000-0x0000000005712000-memory.dmpFilesize
584KB
-
memory/4080-137-0x0000000000000000-mapping.dmp
-
memory/4080-140-0x0000000005770000-0x000000000577A000-memory.dmpFilesize
40KB