Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 14:26
Behavioral task
behavioral1
Sample
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe
Resource
win10v2004-20220414-en
General
-
Target
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe
-
Size
23KB
-
MD5
dafc19b65a1d5c42989e2258f51cbe44
-
SHA1
d87e886de1bd237ece73a000ed8e2891b0e7d241
-
SHA256
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83
-
SHA512
605e24bba49573d01a85e53d406f97540bf10312bf221c896d10e78eb1b237f19c7e46ed04ab8540a6f27aedbe5e48d3724c72503cb3ec8fe85c7834e62aa4ca
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:8808
f974c04cda44f6d8679500cc9da12bdb
-
reg_key
f974c04cda44f6d8679500cc9da12bdb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2592 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f974c04cda44f6d8679500cc9da12bdb = "\"C:\\Windows\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f974c04cda44f6d8679500cc9da12bdb = "\"C:\\Windows\\server.exe\" .." server.exe -
Drops file in Windows directory 1 IoCs
Processes:
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exedescription ioc process File created C:\Windows\server.exe 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe Token: 33 2592 server.exe Token: SeIncBasePriorityPrivilege 2592 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exeserver.exedescription pid process target process PID 4912 wrote to memory of 2592 4912 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 4912 wrote to memory of 2592 4912 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 4912 wrote to memory of 2592 4912 5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe server.exe PID 2592 wrote to memory of 64 2592 server.exe netsh.exe PID 2592 wrote to memory of 64 2592 server.exe netsh.exe PID 2592 wrote to memory of 64 2592 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe"C:\Users\Admin\AppData\Local\Temp\5a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\server.exeFilesize
23KB
MD5dafc19b65a1d5c42989e2258f51cbe44
SHA1d87e886de1bd237ece73a000ed8e2891b0e7d241
SHA2565a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83
SHA512605e24bba49573d01a85e53d406f97540bf10312bf221c896d10e78eb1b237f19c7e46ed04ab8540a6f27aedbe5e48d3724c72503cb3ec8fe85c7834e62aa4ca
-
C:\Windows\server.exeFilesize
23KB
MD5dafc19b65a1d5c42989e2258f51cbe44
SHA1d87e886de1bd237ece73a000ed8e2891b0e7d241
SHA2565a8c05db738e43447bc36122d5e83a8c2b1cfd34b6c8036bfa946b95bf16cc83
SHA512605e24bba49573d01a85e53d406f97540bf10312bf221c896d10e78eb1b237f19c7e46ed04ab8540a6f27aedbe5e48d3724c72503cb3ec8fe85c7834e62aa4ca
-
memory/64-136-0x0000000000000000-mapping.dmp
-
memory/2592-132-0x0000000000000000-mapping.dmp
-
memory/2592-135-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/4912-131-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB