Analysis
-
max time kernel
154s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 18:25
Behavioral task
behavioral1
Sample
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe
Resource
win10v2004-20220414-en
General
-
Target
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe
-
Size
23KB
-
MD5
4ea1665eb888da8c049a453acc38b547
-
SHA1
211a4143dc0b7daa35c325b8c7d75a4bb21eca58
-
SHA256
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
-
SHA512
59a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
Malware Config
Extracted
njrat
0.7d
YOUTUBE
fnhost1.ddns.net:1177
1bd172ac77b29bf1fd15d0de8a995ae1
-
reg_key
1bd172ac77b29bf1fd15d0de8a995ae1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 1844 chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe -
Drops startup file 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bd172ac77b29bf1fd15d0de8a995ae1.exe chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bd172ac77b29bf1fd15d0de8a995ae1.exe chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1bd172ac77b29bf1fd15d0de8a995ae1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1bd172ac77b29bf1fd15d0de8a995ae1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe Token: 33 1844 chrome.exe Token: SeIncBasePriorityPrivilege 1844 chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exechrome.exedescription pid process target process PID 3728 wrote to memory of 1844 3728 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 3728 wrote to memory of 1844 3728 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 3728 wrote to memory of 1844 3728 431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe chrome.exe PID 1844 wrote to memory of 3284 1844 chrome.exe netsh.exe PID 1844 wrote to memory of 3284 1844 chrome.exe netsh.exe PID 1844 wrote to memory of 3284 1844 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe"C:\Users\Admin\AppData\Local\Temp\431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
23KB
MD54ea1665eb888da8c049a453acc38b547
SHA1211a4143dc0b7daa35c325b8c7d75a4bb21eca58
SHA256431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
SHA51259a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
23KB
MD54ea1665eb888da8c049a453acc38b547
SHA1211a4143dc0b7daa35c325b8c7d75a4bb21eca58
SHA256431cba1cfb123d9f7cd3d1bbf91a66ea1cc1f4d8a30f86d794ed75d1b521664d
SHA51259a137aaecc7cb74a1dec3969670c68bfde376c319b0df735eb13a8dca4b3999bbada2b9c867483ead4c3cb4f180f812b31b8053808b5ba829b1fc001d0ae9dc
-
memory/1844-131-0x0000000000000000-mapping.dmp
-
memory/1844-134-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3284-135-0x0000000000000000-mapping.dmp
-
memory/3728-130-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB