Analysis
-
max time kernel
153s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Purchase-Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase-Order.exe
Resource
win10v2004-20220414-en
General
-
Target
Purchase-Order.exe
-
Size
313KB
-
MD5
98eef34a88d5e5764e73ef2f2fdbbe7c
-
SHA1
251153d80c187d77e718520067fa103f7ff06c7f
-
SHA256
84420e6ba6526a6a8ff940b6144497b346e1b0005a9ec7e686025219981d4658
-
SHA512
628e6c2a859f786300fe98ed8e136a7e49d5650b7c630893534f4f6eb6d62cd4ad44c011783cbdaacbf338245454bd815af1996c2a57976c1fcb057499623be9
Malware Config
Extracted
njrat
0.7d
Mon$y
whmfix009.cf:5409
67c692a08f8c138aa1c442e78c2761bc
-
reg_key
67c692a08f8c138aa1c442e78c2761bc
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
invoice.exeinvoice.exepid process 1984 invoice.exe 4932 invoice.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
invoice.exePurchase-Order.exePurchase-Order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation invoice.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Purchase-Order.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Purchase-Order.exe -
Drops startup file 2 IoCs
Processes:
invoice.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67c692a08f8c138aa1c442e78c2761bc.exe invoice.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67c692a08f8c138aa1c442e78c2761bc.exe invoice.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67c692a08f8c138aa1c442e78c2761bc = "\"C:\\Users\\Admin\\AppData\\Roaming\\invoice.exe\" .." invoice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\67c692a08f8c138aa1c442e78c2761bc = "\"C:\\Users\\Admin\\AppData\\Roaming\\invoice.exe\" .." invoice.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Purchase-Order.exeinvoice.exedescription pid process target process PID 3396 set thread context of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 1984 set thread context of 4932 1984 invoice.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2500 schtasks.exe 3960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Purchase-Order.exeinvoice.exepid process 3396 Purchase-Order.exe 3396 Purchase-Order.exe 3396 Purchase-Order.exe 3396 Purchase-Order.exe 1984 invoice.exe 1984 invoice.exe 1984 invoice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Purchase-Order.exeinvoice.exeinvoice.exedescription pid process Token: SeDebugPrivilege 3396 Purchase-Order.exe Token: SeDebugPrivilege 1984 invoice.exe Token: SeDebugPrivilege 4932 invoice.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Purchase-Order.exePurchase-Order.exeinvoice.exeinvoice.exedescription pid process target process PID 3396 wrote to memory of 2500 3396 Purchase-Order.exe schtasks.exe PID 3396 wrote to memory of 2500 3396 Purchase-Order.exe schtasks.exe PID 3396 wrote to memory of 2500 3396 Purchase-Order.exe schtasks.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 3396 wrote to memory of 316 3396 Purchase-Order.exe Purchase-Order.exe PID 316 wrote to memory of 1984 316 Purchase-Order.exe invoice.exe PID 316 wrote to memory of 1984 316 Purchase-Order.exe invoice.exe PID 316 wrote to memory of 1984 316 Purchase-Order.exe invoice.exe PID 1984 wrote to memory of 3960 1984 invoice.exe schtasks.exe PID 1984 wrote to memory of 3960 1984 invoice.exe schtasks.exe PID 1984 wrote to memory of 3960 1984 invoice.exe schtasks.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 1984 wrote to memory of 4932 1984 invoice.exe invoice.exe PID 4932 wrote to memory of 5084 4932 invoice.exe netsh.exe PID 4932 wrote to memory of 5084 4932 invoice.exe netsh.exe PID 4932 wrote to memory of 5084 4932 invoice.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase-Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase-Order.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fwWXBH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF30.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase-Order.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\invoice.exe"C:\Users\Admin\AppData\Roaming\invoice.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fwWXBH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF3D1.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\invoice.exe"{path}"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\invoice.exe" "invoice.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase-Order.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpF3D1.tmpFilesize
1KB
MD51180a2d1e88a44826dd85cef90cbbb05
SHA14d30bd740dbe5714d4aa8c4676b4299e48709f34
SHA256f69090a7d9301807ed285b3460e9e7ee50488ecb3438511a9bf67eecade89ad1
SHA5124f4d1c9c537071af3692820b9956e7af096d454c0d34b595d5df301b542c2e58ab17817a6d697e28df5185d3ccd5fd87a54032177df3d462f8e8e8859539c85c
-
C:\Users\Admin\AppData\Local\Temp\tmpFF30.tmpFilesize
1KB
MD51180a2d1e88a44826dd85cef90cbbb05
SHA14d30bd740dbe5714d4aa8c4676b4299e48709f34
SHA256f69090a7d9301807ed285b3460e9e7ee50488ecb3438511a9bf67eecade89ad1
SHA5124f4d1c9c537071af3692820b9956e7af096d454c0d34b595d5df301b542c2e58ab17817a6d697e28df5185d3ccd5fd87a54032177df3d462f8e8e8859539c85c
-
C:\Users\Admin\AppData\Roaming\invoice.exeFilesize
313KB
MD598eef34a88d5e5764e73ef2f2fdbbe7c
SHA1251153d80c187d77e718520067fa103f7ff06c7f
SHA25684420e6ba6526a6a8ff940b6144497b346e1b0005a9ec7e686025219981d4658
SHA512628e6c2a859f786300fe98ed8e136a7e49d5650b7c630893534f4f6eb6d62cd4ad44c011783cbdaacbf338245454bd815af1996c2a57976c1fcb057499623be9
-
C:\Users\Admin\AppData\Roaming\invoice.exeFilesize
313KB
MD598eef34a88d5e5764e73ef2f2fdbbe7c
SHA1251153d80c187d77e718520067fa103f7ff06c7f
SHA25684420e6ba6526a6a8ff940b6144497b346e1b0005a9ec7e686025219981d4658
SHA512628e6c2a859f786300fe98ed8e136a7e49d5650b7c630893534f4f6eb6d62cd4ad44c011783cbdaacbf338245454bd815af1996c2a57976c1fcb057499623be9
-
C:\Users\Admin\AppData\Roaming\invoice.exeFilesize
313KB
MD598eef34a88d5e5764e73ef2f2fdbbe7c
SHA1251153d80c187d77e718520067fa103f7ff06c7f
SHA25684420e6ba6526a6a8ff940b6144497b346e1b0005a9ec7e686025219981d4658
SHA512628e6c2a859f786300fe98ed8e136a7e49d5650b7c630893534f4f6eb6d62cd4ad44c011783cbdaacbf338245454bd815af1996c2a57976c1fcb057499623be9
-
memory/316-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/316-137-0x0000000000000000-mapping.dmp
-
memory/1984-140-0x0000000000000000-mapping.dmp
-
memory/2500-135-0x0000000000000000-mapping.dmp
-
memory/3396-130-0x00000000003F0000-0x0000000000444000-memory.dmpFilesize
336KB
-
memory/3396-134-0x00000000073A0000-0x000000000743C000-memory.dmpFilesize
624KB
-
memory/3396-133-0x0000000004E00000-0x0000000004E0A000-memory.dmpFilesize
40KB
-
memory/3396-132-0x0000000004E30000-0x0000000004EC2000-memory.dmpFilesize
584KB
-
memory/3396-131-0x00000000053E0000-0x0000000005984000-memory.dmpFilesize
5.6MB
-
memory/3960-143-0x0000000000000000-mapping.dmp
-
memory/4932-145-0x0000000000000000-mapping.dmp
-
memory/5084-148-0x0000000000000000-mapping.dmp