Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:51
Behavioral task
behavioral1
Sample
9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe
Resource
win10v2004-20220414-en
General
-
Target
9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe
-
Size
23KB
-
MD5
d79fa6101c38f4bbcd81d853f0aa18bb
-
SHA1
0df544e32c4b3c2f58cbd15c68af48dfb3b58200
-
SHA256
9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc
-
SHA512
9e4b244e0983882d9411e67a149fa32a5b1f8981dbdf004ce1358b4bb3daf7ba22483f127238d257cbab4eef3877f7876710bc53a72427f2b4ef9ce00b4dc86d
Malware Config
Extracted
njrat
0.7d
HacKed
198.169.0.1:1604
8b8cfe492ab67f57b448c0add5ef7412
-
reg_key
8b8cfe492ab67f57b448c0add5ef7412
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4140 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b8cfe492ab67f57b448c0add5ef7412 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8b8cfe492ab67f57b448c0add5ef7412 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe Token: 33 4140 server.exe Token: SeIncBasePriorityPrivilege 4140 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exeserver.exedescription pid process target process PID 1884 wrote to memory of 4140 1884 9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe server.exe PID 1884 wrote to memory of 4140 1884 9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe server.exe PID 1884 wrote to memory of 4140 1884 9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe server.exe PID 4140 wrote to memory of 4844 4140 server.exe netsh.exe PID 4140 wrote to memory of 4844 4140 server.exe netsh.exe PID 4140 wrote to memory of 4844 4140 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe"C:\Users\Admin\AppData\Local\Temp\9ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d79fa6101c38f4bbcd81d853f0aa18bb
SHA10df544e32c4b3c2f58cbd15c68af48dfb3b58200
SHA2569ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc
SHA5129e4b244e0983882d9411e67a149fa32a5b1f8981dbdf004ce1358b4bb3daf7ba22483f127238d257cbab4eef3877f7876710bc53a72427f2b4ef9ce00b4dc86d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d79fa6101c38f4bbcd81d853f0aa18bb
SHA10df544e32c4b3c2f58cbd15c68af48dfb3b58200
SHA2569ff8be4e2eccb72adaaa262e44bff1a2445e759f3e284a91ca8b130ef836b4bc
SHA5129e4b244e0983882d9411e67a149fa32a5b1f8981dbdf004ce1358b4bb3daf7ba22483f127238d257cbab4eef3877f7876710bc53a72427f2b4ef9ce00b4dc86d
-
memory/1884-130-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/1884-131-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/1884-136-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/4140-132-0x0000000000000000-mapping.dmp
-
memory/4140-135-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/4140-138-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/4844-137-0x0000000000000000-mapping.dmp