Analysis
-
max time kernel
113s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:56
Behavioral task
behavioral1
Sample
bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe
Resource
win7-20220414-en
General
-
Target
bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe
-
Size
29KB
-
MD5
0b87ba9858876702d052c84f27a2675e
-
SHA1
a7ce50effb4f59effc0d08d643170bae2456f954
-
SHA256
bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6
-
SHA512
55bd5778a0d38f1085ba0ac49b7a3d608876974fd949ed5c452b0ce144a06c65f8fe066743369cf5ff174231bda036ce77cea175e6aee34b7420f13f09f58b36
Malware Config
Extracted
njrat
0.6.4
HacKed
dadijinn.ddns.net:1177
d5a38e9b5f206c41f8851bf04a251d26
-
reg_key
d5a38e9b5f206c41f8851bf04a251d26
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 3456 chrome.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exedescription pid process target process PID 4472 wrote to memory of 3456 4472 bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe chrome.exe PID 4472 wrote to memory of 3456 4472 bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe chrome.exe PID 4472 wrote to memory of 3456 4472 bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe"C:\Users\Admin\AppData\Local\Temp\bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
29KB
MD50b87ba9858876702d052c84f27a2675e
SHA1a7ce50effb4f59effc0d08d643170bae2456f954
SHA256bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6
SHA51255bd5778a0d38f1085ba0ac49b7a3d608876974fd949ed5c452b0ce144a06c65f8fe066743369cf5ff174231bda036ce77cea175e6aee34b7420f13f09f58b36
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
29KB
MD50b87ba9858876702d052c84f27a2675e
SHA1a7ce50effb4f59effc0d08d643170bae2456f954
SHA256bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6
SHA51255bd5778a0d38f1085ba0ac49b7a3d608876974fd949ed5c452b0ce144a06c65f8fe066743369cf5ff174231bda036ce77cea175e6aee34b7420f13f09f58b36
-
memory/3456-131-0x0000000000000000-mapping.dmp
-
memory/3456-134-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4472-130-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB