015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913

General

Target

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
Size

1.9MB
MD5

3d8e51c2357616f4869fdebb9a1089fd
SHA1

73389447d55532c9d241b7fbd61e212bcedd64fa
SHA256

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913
SHA512

f04768f4cfbe154d96a2d14b5737660eeb4925a47d7a9ba03ede69484e10363ae5829c38f4d7dbf47c47bd89f46c8dbb25e3e5904d6462e93a7e746e89038581

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

njRat Detector by FR34K.exeMicrosoft.Net_Framework_Servcies.exe

pid process

3108 njRat Detector by FR34K.exe
4068 Microsoft.Net_Framework_Servcies.exe

pid	process
3108	njRat Detector by FR34K.exe
4068	Microsoft.Net_Framework_Servcies.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Microsoft.Net_Framework_Servcies.exeRegSvcs.exe

description	pid	process	target process
PID 4068 set thread context of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4156 set thread context of 4424	4156	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Microsoft.Net_Framework_Servcies.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4068 Microsoft.Net_Framework_Servcies.exe
Token: SeDebugPrivilege 4156 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4068	Microsoft.Net_Framework_Servcies.exe
Token: SeDebugPrivilege	4156	RegSvcs.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exeMicrosoft.Net_Framework_Servcies.exeRegSvcs.exe

description	pid	process	target process
PID 3036 wrote to memory of 3108	3036	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 3036 wrote to memory of 3108	3036	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 3036 wrote to memory of 3108	3036	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 3036 wrote to memory of 4068	3036	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	Microsoft.Net_Framework_Servcies.exe
PID 3036 wrote to memory of 4068	3036	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	Microsoft.Net_Framework_Servcies.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4068 wrote to memory of 4156	4068	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe
PID 4156 wrote to memory of 4424	4156	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
"C:\Users\Admin\AppData\Local\Temp\015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4424

C:\Windows\SysWOW64\Custimize Version.exe
"C:\Windows\system32\Custimize Version.exe"
4⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
"C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe"
2⤵
- Executes dropped EXE
PID:3108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Filesize
142B

MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\bClgZblRv.txt
Filesize
70B

MD5
ace36b6cf6dcc347541bac64d904ce97

SHA1
31c97f07799654e5849ae08405e215538b1ab4ba

SHA256
0e2d31ea39cf5519b1db121f56a9f083881323e697f851b7d3cc59eecd74b5d0

SHA512
58ac72166300701b0f579d0004dfb380859f981f935e4af598701407ffd08618d4e6d634e8de9845f52b5a6c395d34571cdf309632091c891cb4a30dd043f45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
Filesize
228KB

MD5
90c5f7ba0d0924b7dfce5d27e7ca09d5

SHA1
8d47e0db161b9bb22ede867e3a0a285a177b6d0c

SHA256
3bd300202947d4c7c54a776aa5cac45db5e635865c1d1e8e98c913376fe78b48

SHA512
de94c3f71d4f249d0921d2aca2812bca7bdb35114424079b72fdd4bf6ad79c994ecde86b0288bb8f50994399149dcdd6805b62e16a6c6e91c591fbf7aff4d7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
Filesize
362KB

MD5
8306d7465cff94ccd4165a04eedc3cc4

SHA1
0d9ebe09c78c709c31dfc655cd8855194473c9e2

SHA256
a0500490bb4acf09a4db8b9e07a991c21ecfc1b17110ab1921f4fe69dd3d421d

SHA512
36854dc81c9ec3b86cb8d8f0a6511354229596f4909b7995708d5b60e09e5c12480a2cc4feb2eeb2299aeb88f382c1c44f354e9a53811769f32789f0c769f7b4

Download Submit
C:\Windows\SysWOW64\Custimize Version.exe
Filesize
198KB

MD5
69c73f7328e8dcc01cbe3a5a95da01ee

SHA1
1a811a161e7775ff715372f1060e95a97e49fbd4

SHA256
ee17221761524956daa20201c754b58f31c9a604530bea4b4ecbbffe4c0d4dce

SHA512
8f05244c2407fad33abdbaeef3de7bf652c4c581ed08bb5a91c7c6f93c1b32a7f343c12d264c3d70e468e3e3b3d23030942bb1c0a87c760984bfa7d08f559186

Download Submit
C:\Windows\SysWOW64\Custimize Version.exe
Filesize
203KB

MD5
fa45d3c9d1434d3753466424fc83d2cf

SHA1
f4f8b4ababfcb5685bec127ae2b90902e3ea76f6

SHA256
ad1b8552fe4d773d59c31001d5358889adc5216e444346ff0feb3576fa0b9e03

SHA512
3e947aed61f619f27c98381c55001e6c9f011ed5cd66edb51424edf1440bf577cd09eeacbc2126ba72726595d86f2abf9d89fe8b0e56d2143d8e8bddc47e4b4a

Download Submit
memory/2008-157-0x0000000000497FA2-mapping.dmp

Download
memory/3036-130-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3108-139-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/3108-140-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/3108-142-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/3108-131-0x0000000000000000-mapping.dmp

Download
memory/3108-138-0x0000000000CE0000-0x0000000000DAE000-memory.dmp

Filesize
824KB

Download
memory/3132-155-0x00007FFE12770000-0x00007FFE13231000-memory.dmp

Filesize
10.8MB

Download
memory/3132-151-0x0000000000000000-mapping.dmp

Download
memory/4068-134-0x0000000000000000-mapping.dmp

Download
memory/4068-141-0x00007FFE12770000-0x00007FFE13231000-memory.dmp

Filesize
10.8MB

Download
memory/4068-137-0x000002C077490000-0x000002C07752C000-memory.dmp

Filesize
624KB

Download
memory/4156-143-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4156-146-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4156-145-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/4156-144-0x0000000000497FA2-mapping.dmp

Download
memory/4424-150-0x0000000004E10000-0x0000000004E4C000-memory.dmp

Filesize
240KB

Download
memory/4424-148-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4424-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads