Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:01
Behavioral task
behavioral1
Sample
5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe
Resource
win10v2004-20220414-en
General
-
Target
5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe
-
Size
37KB
-
MD5
94d375e6fd23e82da61417bcdbd3c50a
-
SHA1
e3395b38c627551f3100e2c42854ee50dfab9af2
-
SHA256
5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab
-
SHA512
a4c24474972d0457830266173bdae4cb15a1045997f3f313297899ad568f0e7e16fdd07eb2607f11f041ec751fda97fc9480fa5232e689551c6b1de705afccb1
Malware Config
Extracted
njrat
im523
HacKed
188.163.97.125:21
a9e76bee46dc0a4e93b0f47bb4fdbb28
-
reg_key
a9e76bee46dc0a4e93b0f47bb4fdbb28
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3612 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e76bee46dc0a4e93b0f47bb4fdbb28.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e76bee46dc0a4e93b0f47bb4fdbb28.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a9e76bee46dc0a4e93b0f47bb4fdbb28 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a9e76bee46dc0a4e93b0f47bb4fdbb28 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe 3612 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3612 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe Token: 33 3612 server.exe Token: SeIncBasePriorityPrivilege 3612 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exeserver.exedescription pid process target process PID 2644 wrote to memory of 3612 2644 5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe server.exe PID 2644 wrote to memory of 3612 2644 5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe server.exe PID 2644 wrote to memory of 3612 2644 5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe server.exe PID 3612 wrote to memory of 4164 3612 server.exe netsh.exe PID 3612 wrote to memory of 4164 3612 server.exe netsh.exe PID 3612 wrote to memory of 4164 3612 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe"C:\Users\Admin\AppData\Local\Temp\5bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD594d375e6fd23e82da61417bcdbd3c50a
SHA1e3395b38c627551f3100e2c42854ee50dfab9af2
SHA2565bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab
SHA512a4c24474972d0457830266173bdae4cb15a1045997f3f313297899ad568f0e7e16fdd07eb2607f11f041ec751fda97fc9480fa5232e689551c6b1de705afccb1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD594d375e6fd23e82da61417bcdbd3c50a
SHA1e3395b38c627551f3100e2c42854ee50dfab9af2
SHA2565bc61eac5924ae54482ad0cf13de3d954c204acf40675b68ec9f34a58987b3ab
SHA512a4c24474972d0457830266173bdae4cb15a1045997f3f313297899ad568f0e7e16fdd07eb2607f11f041ec751fda97fc9480fa5232e689551c6b1de705afccb1
-
memory/2644-130-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/3612-131-0x0000000000000000-mapping.dmp
-
memory/3612-134-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/4164-135-0x0000000000000000-mapping.dmp