Analysis
-
max time kernel
172s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 14:24
Behavioral task
behavioral1
Sample
e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe
Resource
win10v2004-20220414-en
General
-
Target
e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe
-
Size
37KB
-
MD5
93629cc82528b6dc58a8db94912ca786
-
SHA1
c73a94cf2014605c317b433eb38d4a8f39d70aaf
-
SHA256
e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02
-
SHA512
00d0b728e31a0030f9d983f2fe36e46514f449ba96a3c034ff860f4be96e9a8e67bc4bdbff086b79474962509088032509a3e7f3cad06e32dcaaa0d3e19c7650
Malware Config
Extracted
njrat
im523
HacKed
95.138.242.118:6463
a719548a4e0a4b21166fca31fea3933b
-
reg_key
a719548a4e0a4b21166fca31fea3933b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
obama.exepid process 1844 obama.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe -
Drops startup file 2 IoCs
Processes:
obama.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a719548a4e0a4b21166fca31fea3933b.exe obama.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a719548a4e0a4b21166fca31fea3933b.exe obama.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
obama.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a719548a4e0a4b21166fca31fea3933b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\obama.exe\" .." obama.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a719548a4e0a4b21166fca31fea3933b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\obama.exe\" .." obama.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4480 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
obama.exepid process 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe 1844 obama.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
obama.exepid process 1844 obama.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
obama.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1844 obama.exe Token: SeDebugPrivilege 4480 taskkill.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe Token: 33 1844 obama.exe Token: SeIncBasePriorityPrivilege 1844 obama.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exeobama.exedescription pid process target process PID 3204 wrote to memory of 1844 3204 e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe obama.exe PID 3204 wrote to memory of 1844 3204 e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe obama.exe PID 3204 wrote to memory of 1844 3204 e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe obama.exe PID 1844 wrote to memory of 4260 1844 obama.exe netsh.exe PID 1844 wrote to memory of 4260 1844 obama.exe netsh.exe PID 1844 wrote to memory of 4260 1844 obama.exe netsh.exe PID 1844 wrote to memory of 4480 1844 obama.exe taskkill.exe PID 1844 wrote to memory of 4480 1844 obama.exe taskkill.exe PID 1844 wrote to memory of 4480 1844 obama.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe"C:\Users\Admin\AppData\Local\Temp\e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\obama.exe"C:\Users\Admin\AppData\Local\Temp\obama.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\obama.exe" "obama.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\obama.exeFilesize
37KB
MD593629cc82528b6dc58a8db94912ca786
SHA1c73a94cf2014605c317b433eb38d4a8f39d70aaf
SHA256e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02
SHA51200d0b728e31a0030f9d983f2fe36e46514f449ba96a3c034ff860f4be96e9a8e67bc4bdbff086b79474962509088032509a3e7f3cad06e32dcaaa0d3e19c7650
-
C:\Users\Admin\AppData\Local\Temp\obama.exeFilesize
37KB
MD593629cc82528b6dc58a8db94912ca786
SHA1c73a94cf2014605c317b433eb38d4a8f39d70aaf
SHA256e4cbce3085ca964b83c2b2b69a787264fefc77435095e847332354ebf8a3db02
SHA51200d0b728e31a0030f9d983f2fe36e46514f449ba96a3c034ff860f4be96e9a8e67bc4bdbff086b79474962509088032509a3e7f3cad06e32dcaaa0d3e19c7650
-
memory/1844-131-0x0000000000000000-mapping.dmp
-
memory/1844-134-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/3204-130-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/4260-135-0x0000000000000000-mapping.dmp
-
memory/4480-136-0x0000000000000000-mapping.dmp