Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe
Resource
win10v2004-20220414-en
General
-
Target
bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe
-
Size
330KB
-
MD5
d9efea40f55230d9a7ef1abf4ec714f9
-
SHA1
e85bae111eb20c2f2274f082a3db5130dd432c52
-
SHA256
bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de
-
SHA512
78ec965786df90216ce25fc54af0f018147c853280d0e209a73fecf90924fc9d5f8a13f4ff76632d5a993fb47eac75f614708a84732df6e3101f3b8ac893b6b6
Malware Config
Extracted
njrat
im523
HacKed
lusika.ddns.net:4546
7287e911ef603f275a9cc4b3d587d24a
-
reg_key
7287e911ef603f275a9cc4b3d587d24a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
вирус.exeSystem.exepid process 2564 вирус.exe 4864 System.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exeвирус.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation вирус.exe -
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7287e911ef603f275a9cc4b3d587d24a.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7287e911ef603f275a9cc4b3d587d24a.exe System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7287e911ef603f275a9cc4b3d587d24a = "\"C:\\Windows\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7287e911ef603f275a9cc4b3d587d24a = "\"C:\\Windows\\System.exe\" .." System.exe -
Drops file in Windows directory 3 IoCs
Processes:
вирус.exeSystem.exedescription ioc process File created C:\Windows\System.exe вирус.exe File opened for modification C:\Windows\System.exe вирус.exe File opened for modification C:\Windows\System.exe System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
System.exepid process 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe 4864 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 4864 System.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe Token: 33 4864 System.exe Token: SeIncBasePriorityPrivilege 4864 System.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exeвирус.exeSystem.exedescription pid process target process PID 1544 wrote to memory of 2564 1544 bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe вирус.exe PID 1544 wrote to memory of 2564 1544 bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe вирус.exe PID 1544 wrote to memory of 2564 1544 bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe вирус.exe PID 2564 wrote to memory of 4864 2564 вирус.exe System.exe PID 2564 wrote to memory of 4864 2564 вирус.exe System.exe PID 2564 wrote to memory of 4864 2564 вирус.exe System.exe PID 4864 wrote to memory of 1888 4864 System.exe netsh.exe PID 4864 wrote to memory of 1888 4864 System.exe netsh.exe PID 4864 wrote to memory of 1888 4864 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe"C:\Users\Admin\AppData\Local\Temp\bd6a7a95b6a622700a3b3227c5d501024635a23040a1a8c2d57bd297e40283de.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\вирус.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\вирус.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System.exe"C:\Windows\System.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\System.exe" "System.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\вирус.exeFilesize
37KB
MD5541a6249755401d3510bef08503dd0dc
SHA19540e4d72caa2515c6e56f0b19aea2539c6d5a8d
SHA2564a213969bb051ff03735b0edd253e959b36345166fb1de6f86d9c8f82fc2f7c3
SHA512a0f850da52199917b2f1e6d4c1001889adad06559fb926d13b7750de1ed3e6fb032a8a80eb47a5bb2aa420e5a85056b386bd72abd4df0e0353b0fabc5ebdc7f6
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\вирус.exeFilesize
37KB
MD5541a6249755401d3510bef08503dd0dc
SHA19540e4d72caa2515c6e56f0b19aea2539c6d5a8d
SHA2564a213969bb051ff03735b0edd253e959b36345166fb1de6f86d9c8f82fc2f7c3
SHA512a0f850da52199917b2f1e6d4c1001889adad06559fb926d13b7750de1ed3e6fb032a8a80eb47a5bb2aa420e5a85056b386bd72abd4df0e0353b0fabc5ebdc7f6
-
C:\Windows\System.exeFilesize
37KB
MD5541a6249755401d3510bef08503dd0dc
SHA19540e4d72caa2515c6e56f0b19aea2539c6d5a8d
SHA2564a213969bb051ff03735b0edd253e959b36345166fb1de6f86d9c8f82fc2f7c3
SHA512a0f850da52199917b2f1e6d4c1001889adad06559fb926d13b7750de1ed3e6fb032a8a80eb47a5bb2aa420e5a85056b386bd72abd4df0e0353b0fabc5ebdc7f6
-
C:\Windows\System.exeFilesize
37KB
MD5541a6249755401d3510bef08503dd0dc
SHA19540e4d72caa2515c6e56f0b19aea2539c6d5a8d
SHA2564a213969bb051ff03735b0edd253e959b36345166fb1de6f86d9c8f82fc2f7c3
SHA512a0f850da52199917b2f1e6d4c1001889adad06559fb926d13b7750de1ed3e6fb032a8a80eb47a5bb2aa420e5a85056b386bd72abd4df0e0353b0fabc5ebdc7f6
-
memory/1888-142-0x0000000000000000-mapping.dmp
-
memory/2564-133-0x0000000000000000-mapping.dmp
-
memory/2564-136-0x0000000072D40000-0x00000000732F1000-memory.dmpFilesize
5.7MB
-
memory/2564-140-0x0000000072D40000-0x00000000732F1000-memory.dmpFilesize
5.7MB
-
memory/4864-137-0x0000000000000000-mapping.dmp
-
memory/4864-141-0x0000000072D40000-0x00000000732F1000-memory.dmpFilesize
5.7MB
-
memory/4864-143-0x0000000072D40000-0x00000000732F1000-memory.dmpFilesize
5.7MB