Analysis
-
max time kernel
189s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 04:07
Behavioral task
behavioral1
Sample
3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe
Resource
win7-20220414-en
General
-
Target
3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe
-
Size
23KB
-
MD5
ae6580de80622ab8f17ec97fbd077b56
-
SHA1
6b8298bcf68fba4c8fd14bb8879e32022beab6cb
-
SHA256
3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11
-
SHA512
15d8b03d5ee7aadb60805a5e225962cb26d7aab41a1e67879e3e497c4567ae6b9fd5b7c36506aff7c5c5a3faacc994bc29c723cbf7597e0e04318dfd14444a7a
Malware Config
Extracted
njrat
0.7d
Hacked
microsoft171.duckdns.org:1337
ca01d4d3802379411c71a0ad552be90b
-
reg_key
ca01d4d3802379411c71a0ad552be90b
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
igfxZXModule Service.exepid process 2840 igfxZXModule Service.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe -
Drops startup file 2 IoCs
Processes:
igfxZXModule Service.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ca01d4d3802379411c71a0ad552be90b.exe igfxZXModule Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ca01d4d3802379411c71a0ad552be90b.exe igfxZXModule Service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
igfxZXModule Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ca01d4d3802379411c71a0ad552be90b = "\"C:\\ProgramData\\igfxZXModule Service.exe\" .." igfxZXModule Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ca01d4d3802379411c71a0ad552be90b = "\"C:\\ProgramData\\igfxZXModule Service.exe\" .." igfxZXModule Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
igfxZXModule Service.exedescription pid process Token: SeDebugPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe Token: 33 2840 igfxZXModule Service.exe Token: SeIncBasePriorityPrivilege 2840 igfxZXModule Service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exeigfxZXModule Service.exedescription pid process target process PID 3308 wrote to memory of 2840 3308 3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe igfxZXModule Service.exe PID 3308 wrote to memory of 2840 3308 3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe igfxZXModule Service.exe PID 3308 wrote to memory of 2840 3308 3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe igfxZXModule Service.exe PID 2840 wrote to memory of 4400 2840 igfxZXModule Service.exe netsh.exe PID 2840 wrote to memory of 4400 2840 igfxZXModule Service.exe netsh.exe PID 2840 wrote to memory of 4400 2840 igfxZXModule Service.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe"C:\Users\Admin\AppData\Local\Temp\3d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\igfxZXModule Service.exe"C:\ProgramData\igfxZXModule Service.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\igfxZXModule Service.exe" "igfxZXModule Service.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\igfxZXModule Service.exeFilesize
23KB
MD5ae6580de80622ab8f17ec97fbd077b56
SHA16b8298bcf68fba4c8fd14bb8879e32022beab6cb
SHA2563d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11
SHA51215d8b03d5ee7aadb60805a5e225962cb26d7aab41a1e67879e3e497c4567ae6b9fd5b7c36506aff7c5c5a3faacc994bc29c723cbf7597e0e04318dfd14444a7a
-
C:\ProgramData\igfxZXModule Service.exeFilesize
23KB
MD5ae6580de80622ab8f17ec97fbd077b56
SHA16b8298bcf68fba4c8fd14bb8879e32022beab6cb
SHA2563d23047d00544b251210814d5404dd45d8fd7b86b0e7e36320057388aa5e6c11
SHA51215d8b03d5ee7aadb60805a5e225962cb26d7aab41a1e67879e3e497c4567ae6b9fd5b7c36506aff7c5c5a3faacc994bc29c723cbf7597e0e04318dfd14444a7a
-
memory/2840-132-0x0000000000000000-mapping.dmp
-
memory/2840-136-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/2840-138-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/3308-130-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/3308-131-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/3308-135-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/4400-137-0x0000000000000000-mapping.dmp