Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:03
Behavioral task
behavioral1
Sample
12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe
Resource
win10v2004-20220414-en
General
-
Target
12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe
-
Size
23KB
-
MD5
c3937e4173da9306dc07e161ae067436
-
SHA1
cbfe2e5dcf01bdeca85d4b15bc258c97411f1c66
-
SHA256
12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
-
SHA512
5fb4e8cbd7f6e3383368833531f60ebb05d59c5f746cc52012c50820332db28019a55f622db48087428a79fc8fe706c7297af14f6c239af0c25bd665dc1dc0ba
Malware Config
Extracted
njrat
0.7d
HacKed
fsky2.hopto.org:5552
2cc58bd89a2903b40440fbd58d12d95c
-
reg_key
2cc58bd89a2903b40440fbd58d12d95c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 4460 explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2cc58bd89a2903b40440fbd58d12d95c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2cc58bd89a2903b40440fbd58d12d95c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe Token: 33 4460 explorer.exe Token: SeIncBasePriorityPrivilege 4460 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exeexplorer.exedescription pid process target process PID 4416 wrote to memory of 4460 4416 12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe explorer.exe PID 4416 wrote to memory of 4460 4416 12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe explorer.exe PID 4416 wrote to memory of 4460 4416 12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe explorer.exe PID 4460 wrote to memory of 1192 4460 explorer.exe netsh.exe PID 4460 wrote to memory of 1192 4460 explorer.exe netsh.exe PID 4460 wrote to memory of 1192 4460 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe"C:\Users\Admin\AppData\Local\Temp\12db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
23KB
MD5c3937e4173da9306dc07e161ae067436
SHA1cbfe2e5dcf01bdeca85d4b15bc258c97411f1c66
SHA25612db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
SHA5125fb4e8cbd7f6e3383368833531f60ebb05d59c5f746cc52012c50820332db28019a55f622db48087428a79fc8fe706c7297af14f6c239af0c25bd665dc1dc0ba
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
23KB
MD5c3937e4173da9306dc07e161ae067436
SHA1cbfe2e5dcf01bdeca85d4b15bc258c97411f1c66
SHA25612db2daa8cb68fce8c7ac779d317c6f803477bbefcced7ac9cb779bf674cb0e0
SHA5125fb4e8cbd7f6e3383368833531f60ebb05d59c5f746cc52012c50820332db28019a55f622db48087428a79fc8fe706c7297af14f6c239af0c25bd665dc1dc0ba
-
memory/1192-136-0x0000000000000000-mapping.dmp
-
memory/4416-130-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4416-134-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4460-131-0x0000000000000000-mapping.dmp
-
memory/4460-135-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4460-137-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB