Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe
Resource
win10v2004-20220414-en
General
-
Target
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe
-
Size
1.1MB
-
MD5
bed8273f6aa0838212bfd15422318320
-
SHA1
ba3abe75066d40dd95ebe7b6a601fe005b4d2dfd
-
SHA256
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed
-
SHA512
6aa2021b5c559c856e53925f710646db430ca35f1bbe81f334e8275a3f9e9dded58bfb3c5839f9c7d453a2a8e69cdee67b43d3e4c9727c0a813f7ac2b14d2039
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
31.10.120.162:5555
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Executes dropped EXE 4 IoCs
Processes:
system.exenikoVIRA alph 13.10.4.2.exeServer.exeServer.exepid process 4436 system.exe 1560 nikoVIRA alph 13.10.4.2.exe 1336 Server.exe 1044 Server.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exenikoVIRA alph 13.10.4.2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation nikoVIRA alph 13.10.4.2.exe -
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Server.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exeServer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOFIHOJEDKNAPGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe" 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exenikoVIRA alph 13.10.4.2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings nikoVIRA alph 13.10.4.2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 1336 Server.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe Token: 33 1336 Server.exe Token: SeIncBasePriorityPrivilege 1336 Server.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exenikoVIRA alph 13.10.4.2.exeServer.exedescription pid process target process PID 3176 wrote to memory of 4436 3176 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe system.exe PID 3176 wrote to memory of 4436 3176 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe system.exe PID 3176 wrote to memory of 1560 3176 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 3176 wrote to memory of 1560 3176 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 3176 wrote to memory of 1560 3176 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 1560 wrote to memory of 4244 1560 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1560 wrote to memory of 4244 1560 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1560 wrote to memory of 4244 1560 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1560 wrote to memory of 1336 1560 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1560 wrote to memory of 1336 1560 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1560 wrote to memory of 1336 1560 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1336 wrote to memory of 4308 1336 Server.exe schtasks.exe PID 1336 wrote to memory of 4308 1336 Server.exe schtasks.exe PID 1336 wrote to memory of 4308 1336 Server.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe"C:\Users\Admin\AppData\Local\Temp\3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe" -a cryptonight -o stratum+tcp://btc.pool.minergate.com:45560 -u egacom2288@gmail.com -t 12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exe"C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Новый текстовый документ.txt3⤵
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exeFilesize
710KB
MD5c93248685712aca2903f41280ebf535e
SHA11cc106d0822eecd8b9b6d56780fe19d826485768
SHA256c0014ac7d901c2e1231fa5e7734d5db64070dc08fb71adaf7720090f45d4e471
SHA51221ae26e97aec9feeae3b3205a159ba7407970c58029093969e6fb3dc5c776f83796d076c2f4e8823ac029beb629e8607f85fdf58170835d6e17b01930b2076fc
-
C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exeFilesize
710KB
MD5c93248685712aca2903f41280ebf535e
SHA11cc106d0822eecd8b9b6d56780fe19d826485768
SHA256c0014ac7d901c2e1231fa5e7734d5db64070dc08fb71adaf7720090f45d4e471
SHA51221ae26e97aec9feeae3b3205a159ba7407970c58029093969e6fb3dc5c776f83796d076c2f4e8823ac029beb629e8607f85fdf58170835d6e17b01930b2076fc
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
502KB
MD5806779989c6ea355a1abf4f6c7cb646c
SHA136d7f7a57e2a8ec953940d15099cae2fc565c16e
SHA256126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4
SHA51287cb14530041b4c09e7de2f77b5a7e2d60278f6916dbed663a1e90e2b35d916f1ff05908ea562661bd5598c60799191ea95550e7e98e8b4ab218179217aecb51
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
502KB
MD5806779989c6ea355a1abf4f6c7cb646c
SHA136d7f7a57e2a8ec953940d15099cae2fc565c16e
SHA256126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4
SHA51287cb14530041b4c09e7de2f77b5a7e2d60278f6916dbed663a1e90e2b35d916f1ff05908ea562661bd5598c60799191ea95550e7e98e8b4ab218179217aecb51
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Roaming\Новый текстовый документ.txtFilesize
55.5MB
MD590ad01221aca326184512bd924aa80b3
SHA15cadad1a1feed32529dd5c4f3a367588042206aa
SHA256fe63530654ff0f7e301429003c8400b35428252eb5df6a3cd28db53e98ad8055
SHA512a0c7a73074885394dbd80d55c711d2d77e34eac94f8bfaea5c3fb8f7837ec8583a6f186be8c8f37558b9bc6d25e97932b745884d4bdbc934d1d8f6a8f6eca08d
-
memory/1336-145-0x0000000004FF0000-0x0000000005082000-memory.dmpFilesize
584KB
-
memory/1336-139-0x0000000000000000-mapping.dmp
-
memory/1336-142-0x00000000003A0000-0x00000000003B2000-memory.dmpFilesize
72KB
-
memory/1336-143-0x0000000004C60000-0x0000000004CFC000-memory.dmpFilesize
624KB
-
memory/1336-144-0x00000000054C0000-0x0000000005A64000-memory.dmpFilesize
5.6MB
-
memory/1336-148-0x0000000005300000-0x000000000530A000-memory.dmpFilesize
40KB
-
memory/1560-133-0x0000000000000000-mapping.dmp
-
memory/4244-137-0x0000000000000000-mapping.dmp
-
memory/4308-146-0x0000000000000000-mapping.dmp
-
memory/4436-130-0x0000000000000000-mapping.dmp
-
memory/4436-135-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB