Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:30
Behavioral task
behavioral1
Sample
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe
Resource
win10v2004-20220414-en
General
-
Target
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe
-
Size
23KB
-
MD5
264cc8acfd74b2dc61c4601ebed22625
-
SHA1
4d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
-
SHA256
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
-
SHA512
8eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
Malware Config
Extracted
njrat
0.7d
HacKed
ranjeethubb-47583.portmap.io:47583
784d648927e34213cad028b43aa070c4
-
reg_key
784d648927e34213cad028b43aa070c4
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1316 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\784d648927e34213cad028b43aa070c4.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\784d648927e34213cad028b43aa070c4.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\784d648927e34213cad028b43aa070c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\784d648927e34213cad028b43aa070c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe Token: 33 1316 server.exe Token: SeIncBasePriorityPrivilege 1316 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exeserver.exedescription pid process target process PID 2984 wrote to memory of 1316 2984 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 2984 wrote to memory of 1316 2984 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 2984 wrote to memory of 1316 2984 1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe server.exe PID 1316 wrote to memory of 2880 1316 server.exe netsh.exe PID 1316 wrote to memory of 2880 1316 server.exe netsh.exe PID 1316 wrote to memory of 2880 1316 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe"C:\Users\Admin\AppData\Local\Temp\1aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5264cc8acfd74b2dc61c4601ebed22625
SHA14d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
SHA2561aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
SHA5128eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5264cc8acfd74b2dc61c4601ebed22625
SHA14d34a5a2f1cfeb7841bfe6ae06d4dc5075da557c
SHA2561aea4cc5eed0fbf9bc14cecbab4b67a90754cb303eff6948ef147f7afa813eb4
SHA5128eeb2615c76fcd9ba9a6e6859fcf3d85ecbb46694bd0c5be20506f0fbe0ff67727985c592cf80a91011468696006592081556ef9ac1e65754054a6dac245da9f
-
memory/1316-131-0x0000000000000000-mapping.dmp
-
memory/1316-134-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/2880-135-0x0000000000000000-mapping.dmp
-
memory/2984-130-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB