Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2022 19:16
Behavioral task
behavioral1
Sample
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
Resource
win10v2004-20220812-en
General
-
Target
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
-
Size
111KB
-
MD5
88e469aebd9529524d4420e3bf7d4964
-
SHA1
d8e22b9746702e583b5307b1ed1ac2a0f250f31b
-
SHA256
6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6
-
SHA512
5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434
Malware Config
Extracted
njrat
v2.0
Victime
algiriano.ddns.net:6000
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdater.batpid process 1760 WindowsUpdater.bat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe -
Drops startup file 2 IoCs
Processes:
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exeWindowsUpdater.batdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk WindowsUpdater.bat -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exeWindowsUpdater.batdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUpdater.bat" VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" WindowsUpdater.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" WindowsUpdater.bat Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" WindowsUpdater.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" WindowsUpdater.bat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WindowsUpdater.batdescription pid process Token: SeDebugPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat Token: 33 1760 WindowsUpdater.bat Token: SeIncBasePriorityPrivilege 1760 WindowsUpdater.bat -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exeWindowsUpdater.batdescription pid process target process PID 1480 wrote to memory of 1760 1480 VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe WindowsUpdater.bat PID 1480 wrote to memory of 1760 1480 VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe WindowsUpdater.bat PID 1480 wrote to memory of 1760 1480 VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe WindowsUpdater.bat PID 1480 wrote to memory of 4352 1480 VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe attrib.exe PID 1480 wrote to memory of 4352 1480 VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe attrib.exe PID 1480 wrote to memory of 4352 1480 VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe attrib.exe PID 1760 wrote to memory of 3616 1760 WindowsUpdater.bat attrib.exe PID 1760 wrote to memory of 3616 1760 WindowsUpdater.bat attrib.exe PID 1760 wrote to memory of 3616 1760 WindowsUpdater.bat attrib.exe PID 1760 wrote to memory of 3592 1760 WindowsUpdater.bat attrib.exe PID 1760 wrote to memory of 3592 1760 WindowsUpdater.bat attrib.exe PID 1760 wrote to memory of 3592 1760 WindowsUpdater.bat attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4352 attrib.exe 3616 attrib.exe 3592 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe"C:\Users\Admin\AppData\Local\Temp\VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.batFilesize
111KB
MD588e469aebd9529524d4420e3bf7d4964
SHA1d8e22b9746702e583b5307b1ed1ac2a0f250f31b
SHA2566cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6
SHA5125977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.batFilesize
111KB
MD588e469aebd9529524d4420e3bf7d4964
SHA1d8e22b9746702e583b5307b1ed1ac2a0f250f31b
SHA2566cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6
SHA5125977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c87a0c01932e2b874bc3b392253a663a
SHA151422af62636aaaedfccbe8e4f49ffc027a90989
SHA2568a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c
SHA512ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5586210e5f1de944d08dd141fcadd408a
SHA10b539a283bfe6c23839a5c44f668af3ae205288d
SHA25690a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742
SHA5124a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6
-
memory/1480-132-0x0000000074A20000-0x0000000074FD1000-memory.dmpFilesize
5.7MB
-
memory/1480-138-0x0000000074A20000-0x0000000074FD1000-memory.dmpFilesize
5.7MB
-
memory/1760-133-0x0000000000000000-mapping.dmp
-
memory/1760-140-0x0000000074A20000-0x0000000074FD1000-memory.dmpFilesize
5.7MB
-
memory/1760-143-0x0000000074A20000-0x0000000074FD1000-memory.dmpFilesize
5.7MB
-
memory/3592-142-0x0000000000000000-mapping.dmp
-
memory/3616-141-0x0000000000000000-mapping.dmp
-
memory/4352-136-0x0000000000000000-mapping.dmp