Analysis
-
max time kernel
25s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 20:09
Static task
static1
Behavioral task
behavioral1
Sample
015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
Resource
win10v2004-20220414-en
General
-
Target
015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
-
Size
1.9MB
-
MD5
3d8e51c2357616f4869fdebb9a1089fd
-
SHA1
73389447d55532c9d241b7fbd61e212bcedd64fa
-
SHA256
015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913
-
SHA512
f04768f4cfbe154d96a2d14b5737660eeb4925a47d7a9ba03ede69484e10363ae5829c38f4d7dbf47c47bd89f46c8dbb25e3e5904d6462e93a7e746e89038581
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
njRat Detector by FR34K.exeMicrosoft.Net_Framework_Servcies.exepid process 3108 njRat Detector by FR34K.exe 4068 Microsoft.Net_Framework_Servcies.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Microsoft.Net_Framework_Servcies.exeRegSvcs.exedescription pid process target process PID 4068 set thread context of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4156 set thread context of 4424 4156 RegSvcs.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Microsoft.Net_Framework_Servcies.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4068 Microsoft.Net_Framework_Servcies.exe Token: SeDebugPrivilege 4156 RegSvcs.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exeMicrosoft.Net_Framework_Servcies.exeRegSvcs.exedescription pid process target process PID 3036 wrote to memory of 3108 3036 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe njRat Detector by FR34K.exe PID 3036 wrote to memory of 3108 3036 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe njRat Detector by FR34K.exe PID 3036 wrote to memory of 3108 3036 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe njRat Detector by FR34K.exe PID 3036 wrote to memory of 4068 3036 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe Microsoft.Net_Framework_Servcies.exe PID 3036 wrote to memory of 4068 3036 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe Microsoft.Net_Framework_Servcies.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4068 wrote to memory of 4156 4068 Microsoft.Net_Framework_Servcies.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe PID 4156 wrote to memory of 4424 4156 RegSvcs.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe"C:\Users\Admin\AppData\Local\Temp\015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\SysWOW64\Custimize Version.exe"C:\Windows\system32\Custimize Version.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe"C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.logFilesize
142B
MD58c0458bb9ea02d50565175e38d577e35
SHA1f0b50702cd6470f3c17d637908f83212fdbdb2f2
SHA256c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53
SHA512804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f
-
C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exeFilesize
603KB
MD5f6b4e39148918a63d1e19e9d18ee8e4c
SHA1e23a5409e1d5293044f65443f9291491dc18d2f9
SHA2560f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67
SHA512dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44
-
C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exeFilesize
603KB
MD5f6b4e39148918a63d1e19e9d18ee8e4c
SHA1e23a5409e1d5293044f65443f9291491dc18d2f9
SHA2560f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67
SHA512dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44
-
C:\Users\Admin\AppData\Local\Temp\bClgZblRv.txtFilesize
70B
MD5ace36b6cf6dcc347541bac64d904ce97
SHA131c97f07799654e5849ae08405e215538b1ab4ba
SHA2560e2d31ea39cf5519b1db121f56a9f083881323e697f851b7d3cc59eecd74b5d0
SHA51258ac72166300701b0f579d0004dfb380859f981f935e4af598701407ffd08618d4e6d634e8de9845f52b5a6c395d34571cdf309632091c891cb4a30dd043f45c
-
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exeFilesize
228KB
MD590c5f7ba0d0924b7dfce5d27e7ca09d5
SHA18d47e0db161b9bb22ede867e3a0a285a177b6d0c
SHA2563bd300202947d4c7c54a776aa5cac45db5e635865c1d1e8e98c913376fe78b48
SHA512de94c3f71d4f249d0921d2aca2812bca7bdb35114424079b72fdd4bf6ad79c994ecde86b0288bb8f50994399149dcdd6805b62e16a6c6e91c591fbf7aff4d7e6
-
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exeFilesize
362KB
MD58306d7465cff94ccd4165a04eedc3cc4
SHA10d9ebe09c78c709c31dfc655cd8855194473c9e2
SHA256a0500490bb4acf09a4db8b9e07a991c21ecfc1b17110ab1921f4fe69dd3d421d
SHA51236854dc81c9ec3b86cb8d8f0a6511354229596f4909b7995708d5b60e09e5c12480a2cc4feb2eeb2299aeb88f382c1c44f354e9a53811769f32789f0c769f7b4
-
C:\Windows\SysWOW64\Custimize Version.exeFilesize
198KB
MD569c73f7328e8dcc01cbe3a5a95da01ee
SHA11a811a161e7775ff715372f1060e95a97e49fbd4
SHA256ee17221761524956daa20201c754b58f31c9a604530bea4b4ecbbffe4c0d4dce
SHA5128f05244c2407fad33abdbaeef3de7bf652c4c581ed08bb5a91c7c6f93c1b32a7f343c12d264c3d70e468e3e3b3d23030942bb1c0a87c760984bfa7d08f559186
-
C:\Windows\SysWOW64\Custimize Version.exeFilesize
203KB
MD5fa45d3c9d1434d3753466424fc83d2cf
SHA1f4f8b4ababfcb5685bec127ae2b90902e3ea76f6
SHA256ad1b8552fe4d773d59c31001d5358889adc5216e444346ff0feb3576fa0b9e03
SHA5123e947aed61f619f27c98381c55001e6c9f011ed5cd66edb51424edf1440bf577cd09eeacbc2126ba72726595d86f2abf9d89fe8b0e56d2143d8e8bddc47e4b4a
-
memory/2008-157-0x0000000000497FA2-mapping.dmp
-
memory/3036-130-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3108-139-0x0000000005CD0000-0x0000000006274000-memory.dmpFilesize
5.6MB
-
memory/3108-140-0x00000000057C0000-0x0000000005852000-memory.dmpFilesize
584KB
-
memory/3108-142-0x0000000005740000-0x000000000574A000-memory.dmpFilesize
40KB
-
memory/3108-131-0x0000000000000000-mapping.dmp
-
memory/3108-138-0x0000000000CE0000-0x0000000000DAE000-memory.dmpFilesize
824KB
-
memory/3132-155-0x00007FFE12770000-0x00007FFE13231000-memory.dmpFilesize
10.8MB
-
memory/3132-151-0x0000000000000000-mapping.dmp
-
memory/4068-134-0x0000000000000000-mapping.dmp
-
memory/4068-141-0x00007FFE12770000-0x00007FFE13231000-memory.dmpFilesize
10.8MB
-
memory/4068-137-0x000002C077490000-0x000002C07752C000-memory.dmpFilesize
624KB
-
memory/4156-143-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/4156-146-0x0000000005560000-0x00000000055C6000-memory.dmpFilesize
408KB
-
memory/4156-145-0x0000000005320000-0x00000000053BC000-memory.dmpFilesize
624KB
-
memory/4156-144-0x0000000000497FA2-mapping.dmp
-
memory/4424-150-0x0000000004E10000-0x0000000004E4C000-memory.dmpFilesize
240KB
-
memory/4424-148-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4424-147-0x0000000000000000-mapping.dmp