Analysis
-
max time kernel
159s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 06:19
Behavioral task
behavioral1
Sample
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe
Resource
win10v2004-20220414-en
General
-
Target
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe
-
Size
23KB
-
MD5
e3d0d1c17ebe317669282b73a51235b0
-
SHA1
e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
-
SHA256
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
-
SHA512
4bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
Malware Config
Extracted
njrat
0.7d
HacKed
kryptokrypto123.ddns.net:5552
c6dfbab76abb2fb1938d3e35b1bb6f3a
-
reg_key
c6dfbab76abb2fb1938d3e35b1bb6f3a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Spoofer.exepid process 3108 Spoofer.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe -
Drops startup file 2 IoCs
Processes:
Spoofer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6dfbab76abb2fb1938d3e35b1bb6f3a.exe Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6dfbab76abb2fb1938d3e35b1bb6f3a.exe Spoofer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Spoofer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6dfbab76abb2fb1938d3e35b1bb6f3a = "\"C:\\Users\\Admin\\Spoofer.exe\" .." Spoofer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c6dfbab76abb2fb1938d3e35b1bb6f3a = "\"C:\\Users\\Admin\\Spoofer.exe\" .." Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Spoofer.exedescription pid process Token: SeDebugPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe Token: 33 3108 Spoofer.exe Token: SeIncBasePriorityPrivilege 3108 Spoofer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exeSpoofer.exedescription pid process target process PID 3912 wrote to memory of 3108 3912 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 3912 wrote to memory of 3108 3912 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 3912 wrote to memory of 3108 3912 c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe Spoofer.exe PID 3108 wrote to memory of 2876 3108 Spoofer.exe netsh.exe PID 3108 wrote to memory of 2876 3108 Spoofer.exe netsh.exe PID 3108 wrote to memory of 2876 3108 Spoofer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe"C:\Users\Admin\AppData\Local\Temp\c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Spoofer.exe"C:\Users\Admin\Spoofer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Spoofer.exe" "Spoofer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Spoofer.exeFilesize
23KB
MD5e3d0d1c17ebe317669282b73a51235b0
SHA1e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
SHA256c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
SHA5124bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
-
C:\Users\Admin\Spoofer.exeFilesize
23KB
MD5e3d0d1c17ebe317669282b73a51235b0
SHA1e63afae6b1df2ffe1fac49ac1fffe14c52e10dec
SHA256c6084f38c5469e7c5395cd15ebe7ce32c63be1c37a3df55266f44c07029c42de
SHA5124bdde959b4d82348e4bb610f0e919bba20064fc7348a00c719387f0649596a1615a55ae5037cb0e586b5f9ce1f93454acdcc17554b1ef261aba6a7cacd2a8237
-
memory/2876-135-0x0000000000000000-mapping.dmp
-
memory/3108-131-0x0000000000000000-mapping.dmp
-
memory/3108-134-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/3912-130-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB