Analysis
-
max time kernel
156s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
Resource
win10v2004-20220414-en
General
-
Target
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
-
Size
37KB
-
MD5
fe539f5b615a9dbb6c67e91499888daf
-
SHA1
267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
-
SHA256
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
-
SHA512
cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a
Malware Config
Extracted
njrat
im523
karochedauni
194.34.132.152:7576
e4cef66ebf3fdf7f22614d89de91686c
-
reg_key
e4cef66ebf3fdf7f22614d89de91686c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
extrimhack_private.exepid process 2688 extrimhack_private.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe -
Drops startup file 2 IoCs
Processes:
extrimhack_private.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4cef66ebf3fdf7f22614d89de91686c.exe extrimhack_private.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4cef66ebf3fdf7f22614d89de91686c.exe extrimhack_private.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3984 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
taskkill.exeextrimhack_private.exedescription pid process Token: SeDebugPrivilege 3984 taskkill.exe Token: SeDebugPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe Token: 33 2688 extrimhack_private.exe Token: SeIncBasePriorityPrivilege 2688 extrimhack_private.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exeextrimhack_private.exedescription pid process target process PID 3248 wrote to memory of 2688 3248 c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe extrimhack_private.exe PID 3248 wrote to memory of 2688 3248 c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe extrimhack_private.exe PID 3248 wrote to memory of 2688 3248 c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe extrimhack_private.exe PID 2688 wrote to memory of 4216 2688 extrimhack_private.exe netsh.exe PID 2688 wrote to memory of 4216 2688 extrimhack_private.exe netsh.exe PID 2688 wrote to memory of 4216 2688 extrimhack_private.exe netsh.exe PID 2688 wrote to memory of 3984 2688 extrimhack_private.exe taskkill.exe PID 2688 wrote to memory of 3984 2688 extrimhack_private.exe taskkill.exe PID 2688 wrote to memory of 3984 2688 extrimhack_private.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe"C:\Users\Admin\AppData\Local\Temp\c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe"C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe" "extrimhack_private.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exeFilesize
37KB
MD5fe539f5b615a9dbb6c67e91499888daf
SHA1267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
SHA256c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
SHA512cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a
-
C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exeFilesize
37KB
MD5fe539f5b615a9dbb6c67e91499888daf
SHA1267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
SHA256c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
SHA512cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a
-
memory/2688-131-0x0000000000000000-mapping.dmp
-
memory/2688-134-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3248-130-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3984-136-0x0000000000000000-mapping.dmp
-
memory/4216-135-0x0000000000000000-mapping.dmp