Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:56
Behavioral task
behavioral1
Sample
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe
Resource
win10v2004-20220414-en
General
-
Target
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe
-
Size
23KB
-
MD5
62613fd09b9acaba8a27dd636fbfcd86
-
SHA1
1c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
-
SHA256
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
-
SHA512
23a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
Malware Config
Extracted
njrat
0.7d
Got em
drontchanging-24954.portmap.io:24954
0f4e54c4009d96e7c18f12042dfb80d6
-
reg_key
0f4e54c4009d96e7c18f12042dfb80d6
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 2428 windows.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe -
Drops startup file 2 IoCs
Processes:
windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f4e54c4009d96e7c18f12042dfb80d6.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f4e54c4009d96e7c18f12042dfb80d6.exe windows.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f4e54c4009d96e7c18f12042dfb80d6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.exe\" .." windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0f4e54c4009d96e7c18f12042dfb80d6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.exe\" .." windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe Token: 33 2428 windows.exe Token: SeIncBasePriorityPrivilege 2428 windows.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exewindows.exedescription pid process target process PID 2332 wrote to memory of 2428 2332 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 2332 wrote to memory of 2428 2332 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 2332 wrote to memory of 2428 2332 b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe windows.exe PID 2428 wrote to memory of 1500 2428 windows.exe netsh.exe PID 2428 wrote to memory of 1500 2428 windows.exe netsh.exe PID 2428 wrote to memory of 1500 2428 windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe"C:\Users\Admin\AppData\Local\Temp\b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\windows.exe" "windows.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
23KB
MD562613fd09b9acaba8a27dd636fbfcd86
SHA11c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
SHA256b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
SHA51223a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
23KB
MD562613fd09b9acaba8a27dd636fbfcd86
SHA11c3a7ef93cea4d7d3829f2f35ffb5ba60f64266a
SHA256b2d8f78612e7a3ec0f5aacaafa031904368b19899eeac158ed93a00bbdc243cb
SHA51223a21797c1a6a108373fb96006679e394a32e5a0e91062abe8127bbf69827415c341056455537d0a334ef7849e972a0130b300a11bffa8f79a1ad226dc69d8f5
-
memory/1500-135-0x0000000000000000-mapping.dmp
-
memory/2332-130-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/2428-131-0x0000000000000000-mapping.dmp
-
memory/2428-134-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB