Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 14:45
General
-
Target
StUpdate.exe
-
Size
93KB
-
MD5
f2321adc190e7db9b1f3b85e88f7ae54
-
SHA1
0b6126aaab291e1dbe0006411eff27789994aa78
-
SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
-
SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==
fb116b75140ecc0173c4ba46bdb8d155
-
reg_key
fb116b75140ecc0173c4ba46bdb8d155
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
svchost.exeStUpdate.exeStUpdate.exepid process 2252 svchost.exe 2276 StUpdate.exe 1056 StUpdate.exe -
Modifies Windows Firewall 1 TTPs 6 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 220 netsh.exe 224 netsh.exe 4996 netsh.exe 1524 netsh.exe 3824 netsh.exe 3108 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
StUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation StUpdate.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
StUpdate.exedescription ioc process File created C:\autorun.inf StUpdate.exe File opened for modification C:\autorun.inf StUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
StUpdate.exepid process 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe 3336 StUpdate.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
StUpdate.exesvchost.exepid process 3336 StUpdate.exe 2252 svchost.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
StUpdate.exesvchost.exedescription pid process Token: SeDebugPrivilege 3336 StUpdate.exe Token: SeDebugPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe Token: 33 2252 svchost.exe Token: SeIncBasePriorityPrivilege 2252 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
StUpdate.exesvchost.exedescription pid process target process PID 3336 wrote to memory of 4996 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 4996 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 4996 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 1524 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 1524 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 1524 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 3824 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 3824 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 3824 3336 StUpdate.exe netsh.exe PID 3336 wrote to memory of 2252 3336 StUpdate.exe svchost.exe PID 3336 wrote to memory of 2252 3336 StUpdate.exe svchost.exe PID 3336 wrote to memory of 2252 3336 StUpdate.exe svchost.exe PID 2252 wrote to memory of 3108 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 3108 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 3108 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 220 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 220 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 220 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 224 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 224 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 224 2252 svchost.exe netsh.exe PID 2252 wrote to memory of 3864 2252 svchost.exe schtasks.exe PID 2252 wrote to memory of 3864 2252 svchost.exe schtasks.exe PID 2252 wrote to memory of 3864 2252 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"1⤵
- Checks computer location settings
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe" "StUpdate.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe" "StUpdate.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.logFilesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
46B
MD506f835feb408ceb777ac17ef3735328e
SHA158a5cb1a0e0d6a45c8261ad9858041e61edc6871
SHA256345c57e48ad5ee49b052a43766a306bcc8c4ef57e6a9805bf52aafe9678b084c
SHA51241c6060bb670244f9ff81e2fb2205bd01182f9db460603b435d94bb58b5e152536243a10d0ab9b1138d722f97868f50ef30d4ac867307aa848943965a7177fe0
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5047dda8d29bbbf2b6e1c3f4212189eba
SHA1eb10217bbf887b1ad9b984cb7a559b177e2c762a
SHA256afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125
SHA51284c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5047dda8d29bbbf2b6e1c3f4212189eba
SHA1eb10217bbf887b1ad9b984cb7a559b177e2c762a
SHA256afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125
SHA51284c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5047dda8d29bbbf2b6e1c3f4212189eba
SHA1eb10217bbf887b1ad9b984cb7a559b177e2c762a
SHA256afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125
SHA51284c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822
-
memory/220-141-0x0000000000000000-mapping.dmp
-
memory/224-142-0x0000000000000000-mapping.dmp
-
memory/1056-155-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/1056-153-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/1524-132-0x0000000000000000-mapping.dmp
-
memory/2252-134-0x0000000000000000-mapping.dmp
-
memory/2252-145-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/2252-139-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/2276-149-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/2276-151-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/3108-140-0x0000000000000000-mapping.dmp
-
memory/3336-130-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/3336-138-0x0000000075220000-0x00000000757D1000-memory.dmpFilesize
5.7MB
-
memory/3824-133-0x0000000000000000-mapping.dmp
-
memory/3864-144-0x0000000000000000-mapping.dmp
-
memory/4996-131-0x0000000000000000-mapping.dmp