Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 21:28
Behavioral task
behavioral1
Sample
DangerousPayload.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
DangerousPayload.exe
Resource
win10v2004-20220721-en
General
-
Target
DangerousPayload.exe
-
Size
37KB
-
MD5
9bbb2f1dc80afe6ecf27b31794a02d32
-
SHA1
bac66f84175fe186c478a340c2f31fde5f57d980
-
SHA256
7aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
-
SHA512
341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
Malware Config
Extracted
njrat
im523
HacKed
susiahat24199a.ddns.net:5552
b94fe95343d85bb18dd50d099af4eb73
-
reg_key
b94fe95343d85bb18dd50d099af4eb73
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3720 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DangerousPayload.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation DangerousPayload.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b94fe95343d85bb18dd50d099af4eb73.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b94fe95343d85bb18dd50d099af4eb73.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b94fe95343d85bb18dd50d099af4eb73 = "\"C:\\Users\\Admin\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b94fe95343d85bb18dd50d099af4eb73 = "\"C:\\Users\\Admin\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created D:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3592 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe 3720 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3720 server.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
server.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3720 server.exe Token: SeDebugPrivilege 3592 taskkill.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe Token: 33 3720 server.exe Token: SeIncBasePriorityPrivilege 3720 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DangerousPayload.exeserver.exedescription pid process target process PID 4760 wrote to memory of 3720 4760 DangerousPayload.exe server.exe PID 4760 wrote to memory of 3720 4760 DangerousPayload.exe server.exe PID 4760 wrote to memory of 3720 4760 DangerousPayload.exe server.exe PID 3720 wrote to memory of 1352 3720 server.exe netsh.exe PID 3720 wrote to memory of 1352 3720 server.exe netsh.exe PID 3720 wrote to memory of 1352 3720 server.exe netsh.exe PID 3720 wrote to memory of 3592 3720 server.exe taskkill.exe PID 3720 wrote to memory of 3592 3720 server.exe taskkill.exe PID 3720 wrote to memory of 3592 3720 server.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DangerousPayload.exe"C:\Users\Admin\AppData\Local\Temp\DangerousPayload.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\server.exe"C:\Users\Admin\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM System32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\server.exeFilesize
37KB
MD59bbb2f1dc80afe6ecf27b31794a02d32
SHA1bac66f84175fe186c478a340c2f31fde5f57d980
SHA2567aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
SHA512341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
-
C:\Users\Admin\server.exeFilesize
37KB
MD59bbb2f1dc80afe6ecf27b31794a02d32
SHA1bac66f84175fe186c478a340c2f31fde5f57d980
SHA2567aa11361505f0ea1e8bf02e1529a5104f8186da3d52f26409281f6d4783bc77f
SHA512341ff7add58a74c3aef78340e6c44ae05b8c8b0ba16c0d3d20a668f2923550faee171563bc8541ff0ef956002609bdda4337a484d470fca6528237bc170aac3e
-
memory/1352-137-0x0000000000000000-mapping.dmp
-
memory/3592-138-0x0000000000000000-mapping.dmp
-
memory/3720-131-0x0000000000000000-mapping.dmp
-
memory/3720-135-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/3720-136-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/4760-130-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/4760-134-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB