Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:06
Behavioral task
behavioral1
Sample
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe
Resource
win10v2004-20220414-en
General
-
Target
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe
-
Size
23KB
-
MD5
92ff44ccf70cce0f51bdef5df8f6af6f
-
SHA1
cd8745d55b3319fa7f9d8f88341db3c1fd56888e
-
SHA256
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
-
SHA512
6aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
Malware Config
Extracted
njrat
0.7d
HacKed
78.140.249.179:1604
fa511642451a8067208694573cee9422
-
reg_key
fa511642451a8067208694573cee9422
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1388 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa511642451a8067208694573cee9422 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fa511642451a8067208694573cee9422 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe Token: 33 1388 server.exe Token: SeIncBasePriorityPrivilege 1388 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exeserver.exedescription pid process target process PID 4580 wrote to memory of 1388 4580 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 4580 wrote to memory of 1388 4580 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 4580 wrote to memory of 1388 4580 b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe server.exe PID 1388 wrote to memory of 3332 1388 server.exe netsh.exe PID 1388 wrote to memory of 3332 1388 server.exe netsh.exe PID 1388 wrote to memory of 3332 1388 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe"C:\Users\Admin\AppData\Local\Temp\b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD592ff44ccf70cce0f51bdef5df8f6af6f
SHA1cd8745d55b3319fa7f9d8f88341db3c1fd56888e
SHA256b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
SHA5126aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD592ff44ccf70cce0f51bdef5df8f6af6f
SHA1cd8745d55b3319fa7f9d8f88341db3c1fd56888e
SHA256b64f61ccdf4556f55023d9a9496dd3292483e572b73497c6ed133e1f386c1dd5
SHA5126aec74aaeb5b957cf42b707775c0dee758dd5f954369628a2e3ea43ff65c09f062828e5001bc142df908ff92d599c8fb8b1dd3bb4c526508369acb72bd33178d
-
memory/1388-131-0x0000000000000000-mapping.dmp
-
memory/1388-135-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/1388-137-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/3332-136-0x0000000000000000-mapping.dmp
-
memory/4580-130-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/4580-134-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB