Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:22
Behavioral task
behavioral1
Sample
3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe
Resource
win10v2004-20220414-en
General
-
Target
3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe
-
Size
23KB
-
MD5
2b62029610cb89bbe65f3eb0f956ad31
-
SHA1
3d7f8201bbf8b142abbad91b91681dca2a996db9
-
SHA256
3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe
-
SHA512
597c24b5ad3cb32c96b8b01c31952b637ca662c37d534cedc37fe6849973bdc1c15c439e262ef64521c7cbd2c1c460edabfde45422c7f2a1b34003fa5dedabb5
Malware Config
Extracted
njrat
0.7d
Youtube
170.78.228.248:4000
74f1c9503f78c09efe5ac6b8a9f55c1f
-
reg_key
74f1c9503f78c09efe5ac6b8a9f55c1f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ifgxtray.exepid process 1580 ifgxtray.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe -
Drops startup file 2 IoCs
Processes:
ifgxtray.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74f1c9503f78c09efe5ac6b8a9f55c1f.exe ifgxtray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74f1c9503f78c09efe5ac6b8a9f55c1f.exe ifgxtray.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ifgxtray.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74f1c9503f78c09efe5ac6b8a9f55c1f = "\"C:\\Users\\Admin\\AppData\\Roaming\\ifgxtray.exe\" .." ifgxtray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\74f1c9503f78c09efe5ac6b8a9f55c1f = "\"C:\\Users\\Admin\\AppData\\Roaming\\ifgxtray.exe\" .." ifgxtray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
ifgxtray.exedescription pid process Token: SeDebugPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe Token: 33 1580 ifgxtray.exe Token: SeIncBasePriorityPrivilege 1580 ifgxtray.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exeifgxtray.exedescription pid process target process PID 2060 wrote to memory of 1580 2060 3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe ifgxtray.exe PID 2060 wrote to memory of 1580 2060 3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe ifgxtray.exe PID 2060 wrote to memory of 1580 2060 3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe ifgxtray.exe PID 1580 wrote to memory of 2668 1580 ifgxtray.exe netsh.exe PID 1580 wrote to memory of 2668 1580 ifgxtray.exe netsh.exe PID 1580 wrote to memory of 2668 1580 ifgxtray.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe"C:\Users\Admin\AppData\Local\Temp\3e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ifgxtray.exe"C:\Users\Admin\AppData\Roaming\ifgxtray.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ifgxtray.exe" "ifgxtray.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ifgxtray.exeFilesize
23KB
MD52b62029610cb89bbe65f3eb0f956ad31
SHA13d7f8201bbf8b142abbad91b91681dca2a996db9
SHA2563e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe
SHA512597c24b5ad3cb32c96b8b01c31952b637ca662c37d534cedc37fe6849973bdc1c15c439e262ef64521c7cbd2c1c460edabfde45422c7f2a1b34003fa5dedabb5
-
C:\Users\Admin\AppData\Roaming\ifgxtray.exeFilesize
23KB
MD52b62029610cb89bbe65f3eb0f956ad31
SHA13d7f8201bbf8b142abbad91b91681dca2a996db9
SHA2563e9a4599cb3b29f9810a7d61282e2d4db15ba7df233752a0511502cdba1257fe
SHA512597c24b5ad3cb32c96b8b01c31952b637ca662c37d534cedc37fe6849973bdc1c15c439e262ef64521c7cbd2c1c460edabfde45422c7f2a1b34003fa5dedabb5
-
memory/1580-131-0x0000000000000000-mapping.dmp
-
memory/1580-134-0x0000000074F50000-0x0000000075501000-memory.dmpFilesize
5.7MB
-
memory/2060-130-0x0000000074F50000-0x0000000075501000-memory.dmpFilesize
5.7MB
-
memory/2668-135-0x0000000000000000-mapping.dmp