Analysis
-
max time kernel
171s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
NEW_PURCHASE_ORDER_.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW_PURCHASE_ORDER_.exe
Resource
win10v2004-20220414-en
General
-
Target
NEW_PURCHASE_ORDER_.exe
-
Size
282KB
-
MD5
94cd3aef83f29bb2dd6d8fe40d751603
-
SHA1
eb3439a00509d5e8ba99f97323cf2617d97b3106
-
SHA256
0fa2721f9583ee945d3909290c0ead73dcf4e3cb5739a6f4423f3da6899fd602
-
SHA512
fc78829979bd284924cc752dafd47a9dd6813e59b76c9620bd18eb3fb179db66aa87584600d38e15d0637ba52f8fbd8618b2de836251ae9d0e5b0d5c61b9c0db
Malware Config
Extracted
njrat
0.7d
Mon$y
whmfix009.cf:5409
67c692a08f8c138aa1c442e78c2761bc
-
reg_key
67c692a08f8c138aa1c442e78c2761bc
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
invoice.exeinvoice.exepid process 208 invoice.exe 1068 invoice.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEW_PURCHASE_ORDER_.exeNEW_PURCHASE_ORDER_.exeinvoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation NEW_PURCHASE_ORDER_.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation NEW_PURCHASE_ORDER_.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation invoice.exe -
Drops startup file 2 IoCs
Processes:
invoice.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67c692a08f8c138aa1c442e78c2761bc.exe invoice.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67c692a08f8c138aa1c442e78c2761bc.exe invoice.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67c692a08f8c138aa1c442e78c2761bc = "\"C:\\Users\\Admin\\AppData\\Roaming\\invoice.exe\" .." invoice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\67c692a08f8c138aa1c442e78c2761bc = "\"C:\\Users\\Admin\\AppData\\Roaming\\invoice.exe\" .." invoice.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
NEW_PURCHASE_ORDER_.exeinvoice.exedescription pid process target process PID 1808 set thread context of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 208 set thread context of 1068 208 invoice.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4716 schtasks.exe 3208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
NEW_PURCHASE_ORDER_.exeinvoice.exepid process 1808 NEW_PURCHASE_ORDER_.exe 1808 NEW_PURCHASE_ORDER_.exe 1808 NEW_PURCHASE_ORDER_.exe 1808 NEW_PURCHASE_ORDER_.exe 208 invoice.exe 208 invoice.exe 208 invoice.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
NEW_PURCHASE_ORDER_.exeinvoice.exeinvoice.exedescription pid process Token: SeDebugPrivilege 1808 NEW_PURCHASE_ORDER_.exe Token: SeDebugPrivilege 208 invoice.exe Token: SeDebugPrivilege 1068 invoice.exe Token: 33 1068 invoice.exe Token: SeIncBasePriorityPrivilege 1068 invoice.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
NEW_PURCHASE_ORDER_.exeNEW_PURCHASE_ORDER_.exeinvoice.exeinvoice.exedescription pid process target process PID 1808 wrote to memory of 4716 1808 NEW_PURCHASE_ORDER_.exe schtasks.exe PID 1808 wrote to memory of 4716 1808 NEW_PURCHASE_ORDER_.exe schtasks.exe PID 1808 wrote to memory of 4716 1808 NEW_PURCHASE_ORDER_.exe schtasks.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 1808 wrote to memory of 2024 1808 NEW_PURCHASE_ORDER_.exe NEW_PURCHASE_ORDER_.exe PID 2024 wrote to memory of 208 2024 NEW_PURCHASE_ORDER_.exe invoice.exe PID 2024 wrote to memory of 208 2024 NEW_PURCHASE_ORDER_.exe invoice.exe PID 2024 wrote to memory of 208 2024 NEW_PURCHASE_ORDER_.exe invoice.exe PID 208 wrote to memory of 3208 208 invoice.exe schtasks.exe PID 208 wrote to memory of 3208 208 invoice.exe schtasks.exe PID 208 wrote to memory of 3208 208 invoice.exe schtasks.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 208 wrote to memory of 1068 208 invoice.exe invoice.exe PID 1068 wrote to memory of 3924 1068 invoice.exe netsh.exe PID 1068 wrote to memory of 3924 1068 invoice.exe netsh.exe PID 1068 wrote to memory of 3924 1068 invoice.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW_PURCHASE_ORDER_.exe"C:\Users\Admin\AppData\Local\Temp\NEW_PURCHASE_ORDER_.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PVXpBGEUT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC46.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW_PURCHASE_ORDER_.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\invoice.exe"C:\Users\Admin\AppData\Roaming\invoice.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PVXpBGEUT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9FD.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\invoice.exe"{path}"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\invoice.exe" "invoice.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW_PURCHASE_ORDER_.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpDC46.tmpFilesize
1KB
MD5ef62084e7c7752319cf9a8aad8906515
SHA1141041d80a8aa7d75b837943555b6041f4a68f08
SHA256aa658bed6241de39908551f1b196ef44dc6f77678efdb12f44cc5697688cb02a
SHA51202e86466ca804aff948a23b8db70bda475966f65fa96235e47bf746937405e577840f28a0155e2bd039172a127ad331365ec6ee368a0b633bb84206c21b3a747
-
C:\Users\Admin\AppData\Local\Temp\tmpE9FD.tmpFilesize
1KB
MD5ef62084e7c7752319cf9a8aad8906515
SHA1141041d80a8aa7d75b837943555b6041f4a68f08
SHA256aa658bed6241de39908551f1b196ef44dc6f77678efdb12f44cc5697688cb02a
SHA51202e86466ca804aff948a23b8db70bda475966f65fa96235e47bf746937405e577840f28a0155e2bd039172a127ad331365ec6ee368a0b633bb84206c21b3a747
-
C:\Users\Admin\AppData\Roaming\invoice.exeFilesize
282KB
MD594cd3aef83f29bb2dd6d8fe40d751603
SHA1eb3439a00509d5e8ba99f97323cf2617d97b3106
SHA2560fa2721f9583ee945d3909290c0ead73dcf4e3cb5739a6f4423f3da6899fd602
SHA512fc78829979bd284924cc752dafd47a9dd6813e59b76c9620bd18eb3fb179db66aa87584600d38e15d0637ba52f8fbd8618b2de836251ae9d0e5b0d5c61b9c0db
-
C:\Users\Admin\AppData\Roaming\invoice.exeFilesize
282KB
MD594cd3aef83f29bb2dd6d8fe40d751603
SHA1eb3439a00509d5e8ba99f97323cf2617d97b3106
SHA2560fa2721f9583ee945d3909290c0ead73dcf4e3cb5739a6f4423f3da6899fd602
SHA512fc78829979bd284924cc752dafd47a9dd6813e59b76c9620bd18eb3fb179db66aa87584600d38e15d0637ba52f8fbd8618b2de836251ae9d0e5b0d5c61b9c0db
-
C:\Users\Admin\AppData\Roaming\invoice.exeFilesize
282KB
MD594cd3aef83f29bb2dd6d8fe40d751603
SHA1eb3439a00509d5e8ba99f97323cf2617d97b3106
SHA2560fa2721f9583ee945d3909290c0ead73dcf4e3cb5739a6f4423f3da6899fd602
SHA512fc78829979bd284924cc752dafd47a9dd6813e59b76c9620bd18eb3fb179db66aa87584600d38e15d0637ba52f8fbd8618b2de836251ae9d0e5b0d5c61b9c0db
-
memory/208-140-0x0000000000000000-mapping.dmp
-
memory/1068-145-0x0000000000000000-mapping.dmp
-
memory/1808-134-0x0000000008310000-0x00000000083AC000-memory.dmpFilesize
624KB
-
memory/1808-130-0x0000000000070000-0x00000000000BC000-memory.dmpFilesize
304KB
-
memory/1808-133-0x0000000004A50000-0x0000000004A5A000-memory.dmpFilesize
40KB
-
memory/1808-132-0x0000000004AD0000-0x0000000004B62000-memory.dmpFilesize
584KB
-
memory/1808-131-0x0000000005080000-0x0000000005624000-memory.dmpFilesize
5.6MB
-
memory/2024-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2024-137-0x0000000000000000-mapping.dmp
-
memory/3208-143-0x0000000000000000-mapping.dmp
-
memory/3924-148-0x0000000000000000-mapping.dmp
-
memory/4716-135-0x0000000000000000-mapping.dmp