Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:40
Behavioral task
behavioral1
Sample
7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe
Resource
win10v2004-20220414-en
General
-
Target
7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe
-
Size
23KB
-
MD5
77cffe535a99ba32ba939db431d5fa10
-
SHA1
db59fefb9de005accdf660728e47d3577cf43a90
-
SHA256
7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7
-
SHA512
fa31d8f28fbb574c954507d661fa56846d5aaa258e759098d368705d044acb9e7e1c8f4f51dc90c44dc37c1e9e46c296e5ef714b9c233b443a05a7bad4e015c4
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:8808
da73141765181666c75fcf6c94008eee
-
reg_key
da73141765181666c75fcf6c94008eee
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2284 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\da73141765181666c75fcf6c94008eee = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\da73141765181666c75fcf6c94008eee = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exeserver.exedescription pid process target process PID 64 wrote to memory of 2284 64 7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe server.exe PID 64 wrote to memory of 2284 64 7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe server.exe PID 64 wrote to memory of 2284 64 7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe server.exe PID 2284 wrote to memory of 1360 2284 server.exe netsh.exe PID 2284 wrote to memory of 1360 2284 server.exe netsh.exe PID 2284 wrote to memory of 1360 2284 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe"C:\Users\Admin\AppData\Local\Temp\7075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD577cffe535a99ba32ba939db431d5fa10
SHA1db59fefb9de005accdf660728e47d3577cf43a90
SHA2567075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7
SHA512fa31d8f28fbb574c954507d661fa56846d5aaa258e759098d368705d044acb9e7e1c8f4f51dc90c44dc37c1e9e46c296e5ef714b9c233b443a05a7bad4e015c4
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD577cffe535a99ba32ba939db431d5fa10
SHA1db59fefb9de005accdf660728e47d3577cf43a90
SHA2567075a0ad7d167b990717f95a36a1292243e649aa628d25381a3aef47a72dafd7
SHA512fa31d8f28fbb574c954507d661fa56846d5aaa258e759098d368705d044acb9e7e1c8f4f51dc90c44dc37c1e9e46c296e5ef714b9c233b443a05a7bad4e015c4
-
memory/64-130-0x0000000074F30000-0x00000000754E1000-memory.dmpFilesize
5.7MB
-
memory/1360-135-0x0000000000000000-mapping.dmp
-
memory/2284-131-0x0000000000000000-mapping.dmp
-
memory/2284-134-0x0000000074F30000-0x00000000754E1000-memory.dmpFilesize
5.7MB