Analysis
-
max time kernel
171s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 06:00
Behavioral task
behavioral1
Sample
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe
Resource
win10v2004-20220414-en
General
-
Target
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe
-
Size
93KB
-
MD5
e005b555ea05cef46b13fe5de4892ab9
-
SHA1
547a4b55fd055d5eaa69090da90f8d9bf58cd51c
-
SHA256
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
-
SHA512
2731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
Malware Config
Extracted
njrat
im523
jpeg
178.44.199.23:7777
f7637d68ce1b9405a0673e2492622992
-
reg_key
f7637d68ce1b9405a0673e2492622992
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jpeg.exepid process 4200 jpeg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe -
Drops startup file 2 IoCs
Processes:
jpeg.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7637d68ce1b9405a0673e2492622992.exe jpeg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7637d68ce1b9405a0673e2492622992.exe jpeg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
jpeg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f7637d68ce1b9405a0673e2492622992 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jpeg.exe\" .." jpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f7637d68ce1b9405a0673e2492622992 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jpeg.exe\" .." jpeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jpeg.exepid process 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe 4200 jpeg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
jpeg.exepid process 4200 jpeg.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
jpeg.exedescription pid process Token: SeDebugPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe Token: 33 4200 jpeg.exe Token: SeIncBasePriorityPrivilege 4200 jpeg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exejpeg.exedescription pid process target process PID 2916 wrote to memory of 4200 2916 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 2916 wrote to memory of 4200 2916 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 2916 wrote to memory of 4200 2916 8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe jpeg.exe PID 4200 wrote to memory of 4232 4200 jpeg.exe netsh.exe PID 4200 wrote to memory of 4232 4200 jpeg.exe netsh.exe PID 4200 wrote to memory of 4232 4200 jpeg.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe"C:\Users\Admin\AppData\Local\Temp\8d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jpeg.exe"C:\Users\Admin\AppData\Local\Temp\jpeg.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\jpeg.exe" "jpeg.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jpeg.exeFilesize
93KB
MD5e005b555ea05cef46b13fe5de4892ab9
SHA1547a4b55fd055d5eaa69090da90f8d9bf58cd51c
SHA2568d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
SHA5122731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
-
C:\Users\Admin\AppData\Local\Temp\jpeg.exeFilesize
93KB
MD5e005b555ea05cef46b13fe5de4892ab9
SHA1547a4b55fd055d5eaa69090da90f8d9bf58cd51c
SHA2568d922558add2ca72d28ccf04735189741860cc38f9f6862a1a430314a814749d
SHA5122731c12ffad3eb09151301d4d1fd3987b48df64ba7b9c55a80fcb8ce75eb0e9960eb1e7b1e010507d45a0f0bfd729fe08c43fbcd0de2345576110a01c291a4b8
-
memory/2916-130-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/2916-134-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/4200-131-0x0000000000000000-mapping.dmp
-
memory/4200-135-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/4200-137-0x00000000745D0000-0x0000000074B81000-memory.dmpFilesize
5.7MB
-
memory/4232-136-0x0000000000000000-mapping.dmp