Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe
Resource
win10v2004-20220414-en
General
-
Target
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe
-
Size
32KB
-
MD5
329fb77ef9c38388c146e32148cb29df
-
SHA1
0a6b14098dd89f97a27208b37cfb43197b8bc0a8
-
SHA256
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
-
SHA512
3f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
Malware Config
Extracted
njrat
Hacked By HiDDen PerSOn
64d9c8cb143e6b529eeac073e6e1e511
-
reg_key
64d9c8cb143e6b529eeac073e6e1e511
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 4016 System32.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe -
Drops startup file 2 IoCs
Processes:
System32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64d9c8cb143e6b529eeac073e6e1e511.exe System32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64d9c8cb143e6b529eeac073e6e1e511.exe System32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64d9c8cb143e6b529eeac073e6e1e511 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\64d9c8cb143e6b529eeac073e6e1e511 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
System32.exedescription pid process Token: SeDebugPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe Token: 33 4016 System32.exe Token: SeIncBasePriorityPrivilege 4016 System32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exeSystem32.exedescription pid process target process PID 4128 wrote to memory of 4016 4128 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 4128 wrote to memory of 4016 4128 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 4128 wrote to memory of 4016 4128 a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe System32.exe PID 4016 wrote to memory of 3852 4016 System32.exe netsh.exe PID 4016 wrote to memory of 3852 4016 System32.exe netsh.exe PID 4016 wrote to memory of 3852 4016 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe"C:\Users\Admin\AppData\Local\Temp\a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Roaming\System32.exe"C:\Users\Admin\AppData\Roaming\System32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System32.exe" "System32.exe" ENABLE3⤵PID:3852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System32.exeFilesize
32KB
MD5329fb77ef9c38388c146e32148cb29df
SHA10a6b14098dd89f97a27208b37cfb43197b8bc0a8
SHA256a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
SHA5123f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
-
C:\Users\Admin\AppData\Roaming\System32.exeFilesize
32KB
MD5329fb77ef9c38388c146e32148cb29df
SHA10a6b14098dd89f97a27208b37cfb43197b8bc0a8
SHA256a592ea7e651bdf94a65cd471fcddb7daf1bdc2168164b2008543ebfff9c69f6c
SHA5123f561e5f19848c41a3107eacd83445eed36012a5595d5fcebdb37425c3bf49dfc458ae3f999f9bf7da5706d267fec4b8be89681f155149a07f2d229a10926955
-
memory/3852-135-0x0000000000000000-mapping.dmp
-
memory/4016-131-0x0000000000000000-mapping.dmp
-
memory/4016-134-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/4128-130-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB