Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:10
Behavioral task
behavioral1
Sample
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe
Resource
win7-20220414-en
General
-
Target
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe
-
Size
29KB
-
MD5
977dbc36f17b3a6f4a0f4efb01391dd2
-
SHA1
e6a49e5405d3e94825920b84ace9bcb4b7c53731
-
SHA256
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
-
SHA512
6e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
Malware Config
Extracted
njrat
0.6.4
HacKed
yekihackers.ddns.net:2020
ba4c12bee3027d94da5c81db2d196bfd
-
reg_key
ba4c12bee3027d94da5c81db2d196bfd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4060 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exedescription pid process target process PID 4648 wrote to memory of 4060 4648 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe PID 4648 wrote to memory of 4060 4648 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe PID 4648 wrote to memory of 4060 4648 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe"C:\Users\Admin\AppData\Local\Temp\df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
29KB
MD5977dbc36f17b3a6f4a0f4efb01391dd2
SHA1e6a49e5405d3e94825920b84ace9bcb4b7c53731
SHA256df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
SHA5126e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
29KB
MD5977dbc36f17b3a6f4a0f4efb01391dd2
SHA1e6a49e5405d3e94825920b84ace9bcb4b7c53731
SHA256df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
SHA5126e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
-
memory/4060-132-0x0000000000000000-mapping.dmp
-
memory/4060-135-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/4648-130-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/4648-131-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/4648-136-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB