Analysis
-
max time kernel
172s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 15:50
Behavioral task
behavioral1
Sample
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe
Resource
win7-20220414-en
General
-
Target
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe
-
Size
93KB
-
MD5
ad5ffd5268a01b519b539f1233b52fee
-
SHA1
1dde3b4a1c4b9b1ac753d649bf16f14744331e39
-
SHA256
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c
-
SHA512
f73539047ac22ec1e3c1dd73401116b35cb43d305229f2c3bbc1ba89f1129fd05db8cb8db4bda7c8ac4970bc07fdb578568d80aa4e1bdaec319530f31ea32bd1
Malware Config
Extracted
njrat
0.7d
hacker
FRANSESCOTI3LjAuFRANSESCOC4x:MTYwNA==
dfd6ed83b13338db2ca4f209d9a7474f
-
reg_key
dfd6ed83b13338db2ca4f209d9a7474f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4992 server.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1928 netsh.exe 4508 netsh.exe 4440 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfd6ed83b13338db2ca4f209d9a7474fWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfd6ed83b13338db2ca4f209d9a7474fWindows Update.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe 4992 server.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exeserver.exepid process 2348 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe 4992 server.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe Token: 33 4992 server.exe Token: SeIncBasePriorityPrivilege 4992 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exeserver.exedescription pid process target process PID 2348 wrote to memory of 4992 2348 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe server.exe PID 2348 wrote to memory of 4992 2348 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe server.exe PID 2348 wrote to memory of 4992 2348 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe server.exe PID 4992 wrote to memory of 1928 4992 server.exe netsh.exe PID 4992 wrote to memory of 1928 4992 server.exe netsh.exe PID 4992 wrote to memory of 1928 4992 server.exe netsh.exe PID 4992 wrote to memory of 4508 4992 server.exe netsh.exe PID 4992 wrote to memory of 4508 4992 server.exe netsh.exe PID 4992 wrote to memory of 4508 4992 server.exe netsh.exe PID 4992 wrote to memory of 4440 4992 server.exe netsh.exe PID 4992 wrote to memory of 4440 4992 server.exe netsh.exe PID 4992 wrote to memory of 4440 4992 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe"C:\Users\Admin\AppData\Local\Temp\28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1928 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
PID:4508 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD55fa01e3399c29de16299d5f4ac743fb2
SHA104e29a03c4a56cf097701f34d6d2999b93035327
SHA2566918b0e9f3af6051db0828a0ec9b353222b84164dab5ed3c85310eefce166223
SHA5125492642165fb12e782f71ba84e8a673ecc047a8a8b3f2f59b64fa8200212326d36ed576fd119ffd0134f1daa03d14069ead81f0e29c2d59de10cdf4bbf2dc90c
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5ad5ffd5268a01b519b539f1233b52fee
SHA11dde3b4a1c4b9b1ac753d649bf16f14744331e39
SHA25628d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c
SHA512f73539047ac22ec1e3c1dd73401116b35cb43d305229f2c3bbc1ba89f1129fd05db8cb8db4bda7c8ac4970bc07fdb578568d80aa4e1bdaec319530f31ea32bd1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5ad5ffd5268a01b519b539f1233b52fee
SHA11dde3b4a1c4b9b1ac753d649bf16f14744331e39
SHA25628d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c
SHA512f73539047ac22ec1e3c1dd73401116b35cb43d305229f2c3bbc1ba89f1129fd05db8cb8db4bda7c8ac4970bc07fdb578568d80aa4e1bdaec319530f31ea32bd1
-
memory/1928-137-0x0000000000000000-mapping.dmp
-
memory/2348-130-0x0000000075400000-0x00000000759B1000-memory.dmpFilesize
5.7MB
-
memory/2348-134-0x0000000075400000-0x00000000759B1000-memory.dmpFilesize
5.7MB
-
memory/4440-139-0x0000000000000000-mapping.dmp
-
memory/4508-138-0x0000000000000000-mapping.dmp
-
memory/4992-131-0x0000000000000000-mapping.dmp
-
memory/4992-136-0x0000000075400000-0x00000000759B1000-memory.dmpFilesize
5.7MB
-
memory/4992-140-0x0000000075400000-0x00000000759B1000-memory.dmpFilesize
5.7MB