Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:40
Behavioral task
behavioral1
Sample
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe
Resource
win10v2004-20220414-en
General
-
Target
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe
-
Size
23KB
-
MD5
11f42d8a2e06a965a4ffc575dfda012f
-
SHA1
8e372df6a2d2171403349c72d5b4eac100baac06
-
SHA256
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
-
SHA512
3b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
Malware Config
Extracted
njrat
0.7d
Roblox
sallystark.ddns.net:1177
4f4dac90c60c5d2b42eb7531f6b1885e
-
reg_key
4f4dac90c60c5d2b42eb7531f6b1885e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsLogo.exepid process 4872 WindowsLogo.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe -
Drops startup file 2 IoCs
Processes:
WindowsLogo.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4dac90c60c5d2b42eb7531f6b1885e.exe WindowsLogo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4dac90c60c5d2b42eb7531f6b1885e.exe WindowsLogo.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsLogo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4f4dac90c60c5d2b42eb7531f6b1885e = "\"C:\\Users\\Admin\\WindowsLogo.exe\" .." WindowsLogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4f4dac90c60c5d2b42eb7531f6b1885e = "\"C:\\Users\\Admin\\WindowsLogo.exe\" .." WindowsLogo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WindowsLogo.exedescription pid process Token: SeDebugPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe Token: 33 4872 WindowsLogo.exe Token: SeIncBasePriorityPrivilege 4872 WindowsLogo.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exeWindowsLogo.exedescription pid process target process PID 2112 wrote to memory of 4872 2112 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 2112 wrote to memory of 4872 2112 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 2112 wrote to memory of 4872 2112 793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe WindowsLogo.exe PID 4872 wrote to memory of 4972 4872 WindowsLogo.exe netsh.exe PID 4872 wrote to memory of 4972 4872 WindowsLogo.exe netsh.exe PID 4872 wrote to memory of 4972 4872 WindowsLogo.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe"C:\Users\Admin\AppData\Local\Temp\793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\WindowsLogo.exe"C:\Users\Admin\WindowsLogo.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\WindowsLogo.exe" "WindowsLogo.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\WindowsLogo.exeFilesize
23KB
MD511f42d8a2e06a965a4ffc575dfda012f
SHA18e372df6a2d2171403349c72d5b4eac100baac06
SHA256793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
SHA5123b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
-
C:\Users\Admin\WindowsLogo.exeFilesize
23KB
MD511f42d8a2e06a965a4ffc575dfda012f
SHA18e372df6a2d2171403349c72d5b4eac100baac06
SHA256793d4047f9cb06853188abd91e4e889ab897b989abba1e9a040b0a767eb90802
SHA5123b9001f44cb2f840f3d22888010a66a0ff2737a36b4574f5af6ab58466bca9ac63ef2820ed0d4ba18de5d7ef204b3ca2e6365f5803f758d1de2cec38f863cb5a
-
memory/2112-130-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/2112-134-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4872-131-0x0000000000000000-mapping.dmp
-
memory/4872-135-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4872-137-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/4972-136-0x0000000000000000-mapping.dmp