Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 23:00
Behavioral task
behavioral1
Sample
0x000a000000012322-61.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0x000a000000012322-61.exe
Resource
win10v2004-20220812-en
General
-
Target
0x000a000000012322-61.exe
-
Size
23KB
-
MD5
6c1b4cac2813540e07e0a9665eed145a
-
SHA1
6b6a609afa15bc53ba55883139cff88db5e5fcc8
-
SHA256
5a68f9ddf03ff74628e5886c0722c09d288b251987cbbabe8dd192cdfe71e126
-
SHA512
d0ca2001b54cb57769be5334036eaa7e05d584afaa11b56dc1003b60fec0d31e88db3a1e894ed7f8791fa1f95b3f9061f779b7790bdadc570abfbaf766530846
-
SSDEEP
384:mY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZ5rv:pL2s+tRyRpcnuQj
Malware Config
Extracted
njrat
0.7d
HacKed
8.tcp.ngrok.io:16697
48f98c994dec482c661547c02a2922ac
-
reg_key
48f98c994dec482c661547c02a2922ac
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
putty.exepid process 4668 putty.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x000a000000012322-61.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0x000a000000012322-61.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
putty.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48f98c994dec482c661547c02a2922ac = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\putty.exe\" .." putty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\48f98c994dec482c661547c02a2922ac = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\putty.exe\" .." putty.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
putty.exedescription pid process Token: SeDebugPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe Token: 33 4668 putty.exe Token: SeIncBasePriorityPrivilege 4668 putty.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x000a000000012322-61.exeputty.exedescription pid process target process PID 1460 wrote to memory of 4668 1460 0x000a000000012322-61.exe putty.exe PID 1460 wrote to memory of 4668 1460 0x000a000000012322-61.exe putty.exe PID 1460 wrote to memory of 4668 1460 0x000a000000012322-61.exe putty.exe PID 4668 wrote to memory of 4448 4668 putty.exe netsh.exe PID 4668 wrote to memory of 4448 4668 putty.exe netsh.exe PID 4668 wrote to memory of 4448 4668 putty.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a000000012322-61.exe"C:\Users\Admin\AppData\Local\Temp\0x000a000000012322-61.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\putty.exe" "putty.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\putty.exeFilesize
23KB
MD56c1b4cac2813540e07e0a9665eed145a
SHA16b6a609afa15bc53ba55883139cff88db5e5fcc8
SHA2565a68f9ddf03ff74628e5886c0722c09d288b251987cbbabe8dd192cdfe71e126
SHA512d0ca2001b54cb57769be5334036eaa7e05d584afaa11b56dc1003b60fec0d31e88db3a1e894ed7f8791fa1f95b3f9061f779b7790bdadc570abfbaf766530846
-
C:\Users\Admin\AppData\Local\Temp\putty.exeFilesize
23KB
MD56c1b4cac2813540e07e0a9665eed145a
SHA16b6a609afa15bc53ba55883139cff88db5e5fcc8
SHA2565a68f9ddf03ff74628e5886c0722c09d288b251987cbbabe8dd192cdfe71e126
SHA512d0ca2001b54cb57769be5334036eaa7e05d584afaa11b56dc1003b60fec0d31e88db3a1e894ed7f8791fa1f95b3f9061f779b7790bdadc570abfbaf766530846
-
memory/1460-132-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/1460-136-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/4448-138-0x0000000000000000-mapping.dmp
-
memory/4668-133-0x0000000000000000-mapping.dmp
-
memory/4668-137-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/4668-139-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB