Analysis
-
max time kernel
152s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 14:38
General
-
Target
ja.exe
-
Size
93KB
-
MD5
f2321adc190e7db9b1f3b85e88f7ae54
-
SHA1
0b6126aaab291e1dbe0006411eff27789994aa78
-
SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
-
SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==
fb116b75140ecc0173c4ba46bdb8d155
-
reg_key
fb116b75140ecc0173c4ba46bdb8d155
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
svchost.exeStUpdate.exeStUpdate.exepid process 4360 svchost.exe 4692 StUpdate.exe 2400 StUpdate.exe -
Modifies Windows Firewall 1 TTPs 6 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 4660 netsh.exe 5032 netsh.exe 2556 netsh.exe 800 netsh.exe 4248 netsh.exe 4820 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ja.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ja.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ja.exedescription ioc process File created C:\autorun.inf ja.exe File opened for modification C:\autorun.inf ja.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ja.exepid process 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe 4948 ja.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
ja.exesvchost.exepid process 4948 ja.exe 4360 svchost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
ja.exesvchost.exedescription pid process Token: SeDebugPrivilege 4948 ja.exe Token: SeDebugPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe Token: 33 4360 svchost.exe Token: SeIncBasePriorityPrivilege 4360 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ja.exesvchost.exedescription pid process target process PID 4948 wrote to memory of 4660 4948 ja.exe netsh.exe PID 4948 wrote to memory of 4660 4948 ja.exe netsh.exe PID 4948 wrote to memory of 4660 4948 ja.exe netsh.exe PID 4948 wrote to memory of 5032 4948 ja.exe netsh.exe PID 4948 wrote to memory of 5032 4948 ja.exe netsh.exe PID 4948 wrote to memory of 5032 4948 ja.exe netsh.exe PID 4948 wrote to memory of 2556 4948 ja.exe netsh.exe PID 4948 wrote to memory of 2556 4948 ja.exe netsh.exe PID 4948 wrote to memory of 2556 4948 ja.exe netsh.exe PID 4948 wrote to memory of 4360 4948 ja.exe svchost.exe PID 4948 wrote to memory of 4360 4948 ja.exe svchost.exe PID 4948 wrote to memory of 4360 4948 ja.exe svchost.exe PID 4360 wrote to memory of 800 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 800 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 800 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4248 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4248 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4248 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4820 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4820 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4820 4360 svchost.exe netsh.exe PID 4360 wrote to memory of 4696 4360 svchost.exe schtasks.exe PID 4360 wrote to memory of 4696 4360 svchost.exe schtasks.exe PID 4360 wrote to memory of 4696 4360 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ja.exe"C:\Users\Admin\AppData\Local\Temp\ja.exe"1⤵
- Checks computer location settings
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ja.exe" "ja.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\ja.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ja.exe" "ja.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.logFilesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
40B
MD59af3649bf2ea74a73f8f775ece772dd6
SHA185227138070bdcb7a49c79509d5d0c0b8df85afe
SHA256fdb18cbf795a63a4a5678a707e24adb18b91ac50b99e8e6f685bd61f4f4a8816
SHA512c77d8d336ad72a62633b2694455f33b76da452019623d3da7378d0e73f6504044b20db22230597c00a7cb6ec100cc55187541c9688cf3bbc112fb49ff3e4fa5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
93KB
MD5f2321adc190e7db9b1f3b85e88f7ae54
SHA10b6126aaab291e1dbe0006411eff27789994aa78
SHA256dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5047dda8d29bbbf2b6e1c3f4212189eba
SHA1eb10217bbf887b1ad9b984cb7a559b177e2c762a
SHA256afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125
SHA51284c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5047dda8d29bbbf2b6e1c3f4212189eba
SHA1eb10217bbf887b1ad9b984cb7a559b177e2c762a
SHA256afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125
SHA51284c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5047dda8d29bbbf2b6e1c3f4212189eba
SHA1eb10217bbf887b1ad9b984cb7a559b177e2c762a
SHA256afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125
SHA51284c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822
-
memory/800-140-0x0000000000000000-mapping.dmp
-
memory/2400-154-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2556-133-0x0000000000000000-mapping.dmp
-
memory/4248-141-0x0000000000000000-mapping.dmp
-
memory/4360-145-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4360-134-0x0000000000000000-mapping.dmp
-
memory/4360-139-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4660-131-0x0000000000000000-mapping.dmp
-
memory/4692-148-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4692-150-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4696-144-0x0000000000000000-mapping.dmp
-
memory/4820-142-0x0000000000000000-mapping.dmp
-
memory/4948-130-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4948-138-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5032-132-0x0000000000000000-mapping.dmp