Analysis
-
max time kernel
154s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:07
Behavioral task
behavioral1
Sample
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe
Resource
win10v2004-20220414-en
General
-
Target
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe
-
Size
31KB
-
MD5
18fd235145f8ab58e1459ca717da16f8
-
SHA1
feccaf6747cbcb7d4adcec37886f107ed4135597
-
SHA256
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
-
SHA512
0df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
Malware Config
Extracted
njrat
0.7d
Faust
192.168.88.12:7777
77beb3e67b10486d166a5b0f147439dc
-
reg_key
77beb3e67b10486d166a5b0f147439dc
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AF.exepid process 4188 AF.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe -
Drops startup file 2 IoCs
Processes:
AF.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\77beb3e67b10486d166a5b0f147439dc.exe AF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\77beb3e67b10486d166a5b0f147439dc.exe AF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77beb3e67b10486d166a5b0f147439dc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AF.exe\" .." AF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\77beb3e67b10486d166a5b0f147439dc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AF.exe\" .." AF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
AF.exedescription pid process Token: SeDebugPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe Token: 33 4188 AF.exe Token: SeIncBasePriorityPrivilege 4188 AF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exeAF.exedescription pid process target process PID 2856 wrote to memory of 4188 2856 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 2856 wrote to memory of 4188 2856 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 2856 wrote to memory of 4188 2856 be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe AF.exe PID 4188 wrote to memory of 3156 4188 AF.exe netsh.exe PID 4188 wrote to memory of 3156 4188 AF.exe netsh.exe PID 4188 wrote to memory of 3156 4188 AF.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe"C:\Users\Admin\AppData\Local\Temp\be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AF.exe"C:\Users\Admin\AppData\Local\Temp\AF.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AF.exe" "AF.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AF.exeFilesize
31KB
MD518fd235145f8ab58e1459ca717da16f8
SHA1feccaf6747cbcb7d4adcec37886f107ed4135597
SHA256be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
SHA5120df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
-
C:\Users\Admin\AppData\Local\Temp\AF.exeFilesize
31KB
MD518fd235145f8ab58e1459ca717da16f8
SHA1feccaf6747cbcb7d4adcec37886f107ed4135597
SHA256be4e51ecca7a9cfb5ca39240ce27beea314be89af2bbf40dd4d5b2a8d3203c98
SHA5120df79707f6d2b26d06c47827f8207b1c74322483676b7d7be72d28bb8bae6c54b2cef8c8ade5360fe87b6f21af0418b4bb87f0ee76ad42a2eb4e329dd3a44f45
-
memory/2856-130-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/3156-135-0x0000000000000000-mapping.dmp
-
memory/4188-131-0x0000000000000000-mapping.dmp
-
memory/4188-134-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB