Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-07-2022 18:46
Static task
static1
Behavioral task
behavioral1
Sample
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe
Resource
win7-20220414-en
General
-
Target
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe
-
Size
168KB
-
MD5
0ead8bf1a82f825a23acba001fa5d8f4
-
SHA1
d53abb4494d355f6954cea7ba866588593934992
-
SHA256
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b
-
SHA512
5fda6c76bb39547844114ded578f7881fa9433d8da45d4df67c48cc17a9fce90b90c918e9cc4611b6bb86cef444cb00b11f10d219d3d1eb33f713b4741f8dc05
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1234
cc0012ca95288ee5cb550c3649e082f9
-
reg_key
cc0012ca95288ee5cb550c3649e082f9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ben.exepid process 4948 ben.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
ben.exedescription pid process Token: SeDebugPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe Token: 33 4948 ben.exe Token: SeIncBasePriorityPrivilege 4948 ben.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exeben.exedescription pid process target process PID 2160 wrote to memory of 4948 2160 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 2160 wrote to memory of 4948 2160 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 2160 wrote to memory of 4948 2160 c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe ben.exe PID 4948 wrote to memory of 2348 4948 ben.exe netsh.exe PID 4948 wrote to memory of 2348 4948 ben.exe netsh.exe PID 4948 wrote to memory of 2348 4948 ben.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe"C:\Users\Admin\AppData\Local\Temp\c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ben.exe"C:\Users\Admin\AppData\Local\Temp\ben.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ben.exe" "ben.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ben.exeFilesize
23KB
MD543e1b731ab30055f534ef2276eaa72fb
SHA19c648a33edca6b2c6ae54784c219da59a3682c3b
SHA256e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239
SHA5122e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c
-
C:\Users\Admin\AppData\Local\Temp\ben.exeFilesize
23KB
MD543e1b731ab30055f534ef2276eaa72fb
SHA19c648a33edca6b2c6ae54784c219da59a3682c3b
SHA256e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239
SHA5122e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c
-
memory/2160-130-0x0000000000DE0000-0x0000000000E0A000-memory.dmpFilesize
168KB
-
memory/2160-131-0x0000000005770000-0x000000000580C000-memory.dmpFilesize
624KB
-
memory/2160-132-0x0000000005E20000-0x00000000063C4000-memory.dmpFilesize
5.6MB
-
memory/2160-133-0x0000000005910000-0x00000000059A2000-memory.dmpFilesize
584KB
-
memory/2160-134-0x0000000005840000-0x000000000584A000-memory.dmpFilesize
40KB
-
memory/2160-135-0x0000000005AB0000-0x0000000005B06000-memory.dmpFilesize
344KB
-
memory/2348-140-0x0000000000000000-mapping.dmp
-
memory/4948-136-0x0000000000000000-mapping.dmp
-
memory/4948-139-0x000000006F700000-0x000000006FCB1000-memory.dmpFilesize
5.7MB
-
memory/4948-141-0x000000006F700000-0x000000006FCB1000-memory.dmpFilesize
5.7MB