Analysis
-
max time kernel
188s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 06:08
Behavioral task
behavioral1
Sample
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe
Resource
win10v2004-20220414-en
General
-
Target
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe
-
Size
23KB
-
MD5
be031938826435311f1932068d552001
-
SHA1
b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
-
SHA256
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
-
SHA512
bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
Malware Config
Extracted
njrat
0.7d
HacKed
must123123.ddns.net:5571
2fd4177f9bfdf03e6833100ad58e5a3b
-
reg_key
2fd4177f9bfdf03e6833100ad58e5a3b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 3988 system.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2fd4177f9bfdf03e6833100ad58e5a3b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2fd4177f9bfdf03e6833100ad58e5a3b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe Token: 33 3988 system.exe Token: SeIncBasePriorityPrivilege 3988 system.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exesystem.exedescription pid process target process PID 4816 wrote to memory of 3988 4816 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 4816 wrote to memory of 3988 4816 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 4816 wrote to memory of 3988 4816 201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe system.exe PID 3988 wrote to memory of 4920 3988 system.exe netsh.exe PID 3988 wrote to memory of 4920 3988 system.exe netsh.exe PID 3988 wrote to memory of 4920 3988 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe"C:\Users\Admin\AppData\Local\Temp\201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
23KB
MD5be031938826435311f1932068d552001
SHA1b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
SHA256201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
SHA512bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
23KB
MD5be031938826435311f1932068d552001
SHA1b6b74fbf870c13bb08d151c8aebcca8ac9c4a048
SHA256201572ea222e3606c98da1c10781b570e75cdd1256c75eb5c0776490fe76694e
SHA512bb39cfef7b1cdf77f3a49aac41f46464269f7e959d2cba227519a1d23217960a3f9249ee48581ad40deed1c0597eb3e59aff5dbcd55cb33de0b1b00c6a25903a
-
memory/3988-131-0x0000000000000000-mapping.dmp
-
memory/3988-134-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4816-130-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4920-135-0x0000000000000000-mapping.dmp