Analysis
-
max time kernel
187s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:08
Behavioral task
behavioral1
Sample
a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe
Resource
win10v2004-20220414-en
General
-
Target
a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe
-
Size
29KB
-
MD5
c2c057d9645af7f64e9d11672840828e
-
SHA1
bec40dc3a800848327a19aa43414d97cf03b1dd3
-
SHA256
a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d
-
SHA512
eb1878882d67b0534df70f56808ce728b00c674f10e95b2dae9975dc455129e74084e6824c125eb800e8ecaed7b6a755df6a4242e89db1b8a08118d173884b71
Malware Config
Extracted
njrat
0.6.4
HacKed
127.0.0.1:9090
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 4232 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe -
Drops startup file 2 IoCs
Processes:
Trojan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Trojan.exepid process 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe 4232 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 4232 Trojan.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exeTrojan.exedescription pid process target process PID 5108 wrote to memory of 4232 5108 a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe Trojan.exe PID 5108 wrote to memory of 4232 5108 a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe Trojan.exe PID 5108 wrote to memory of 4232 5108 a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe Trojan.exe PID 4232 wrote to memory of 4208 4232 Trojan.exe netsh.exe PID 4232 wrote to memory of 4208 4232 Trojan.exe netsh.exe PID 4232 wrote to memory of 4208 4232 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe"C:\Users\Admin\AppData\Local\Temp\a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD5c2c057d9645af7f64e9d11672840828e
SHA1bec40dc3a800848327a19aa43414d97cf03b1dd3
SHA256a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d
SHA512eb1878882d67b0534df70f56808ce728b00c674f10e95b2dae9975dc455129e74084e6824c125eb800e8ecaed7b6a755df6a4242e89db1b8a08118d173884b71
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD5c2c057d9645af7f64e9d11672840828e
SHA1bec40dc3a800848327a19aa43414d97cf03b1dd3
SHA256a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d
SHA512eb1878882d67b0534df70f56808ce728b00c674f10e95b2dae9975dc455129e74084e6824c125eb800e8ecaed7b6a755df6a4242e89db1b8a08118d173884b71
-
memory/4208-135-0x0000000000000000-mapping.dmp
-
memory/4232-131-0x0000000000000000-mapping.dmp
-
memory/4232-136-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/4232-137-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/5108-130-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/5108-134-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB