Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 14:12
Static task
static1
Behavioral task
behavioral1
Sample
2944260deaa025272074f9a2ac84ffd7.exe
Resource
win7-20220812-en
General
-
Target
2944260deaa025272074f9a2ac84ffd7.exe
-
Size
347KB
-
MD5
2944260deaa025272074f9a2ac84ffd7
-
SHA1
18aa80fcd4efade56a68ce67a38f8e148d38e863
-
SHA256
76de9acdc679b628b2982e417d9b9d3329841439f9ccfb70e4e11e162ec1eb68
-
SHA512
84e15d0cef4d0a34fecb7238aa3e02c2ecd19e0e5beb1474d6c8cb74b40eaae3e097455b2e2a71a6ae02113192a67f52149231313a9e992a9c13c4da22366653
-
SSDEEP
6144:SiDdgU7fEMhpd2cBcr39lIKdK8RKzd+jAYLToFYAah+eCH5+Hn0Su34KB:1fEWpdPKrNlIKdK8RKwOXo+J4H0SQ
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3AuZXUubmdyb2suaW8Strik:MTU4OTA=
0ec537396f8c89c665c6c857f7fa4b8a
-
reg_key
0ec537396f8c89c665c6c857f7fa4b8a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exeserver.exepid process 316 Server.exe 4460 server.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 4052 netsh.exe 804 netsh.exe 3092 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2944260deaa025272074f9a2ac84ffd7.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 2944260deaa025272074f9a2ac84ffd7.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 4460 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe Token: 33 4460 server.exe Token: SeIncBasePriorityPrivilege 4460 server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2944260deaa025272074f9a2ac84ffd7.exeServer.exeserver.exedescription pid process target process PID 4644 wrote to memory of 316 4644 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 4644 wrote to memory of 316 4644 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 4644 wrote to memory of 316 4644 2944260deaa025272074f9a2ac84ffd7.exe Server.exe PID 316 wrote to memory of 4460 316 Server.exe server.exe PID 316 wrote to memory of 4460 316 Server.exe server.exe PID 316 wrote to memory of 4460 316 Server.exe server.exe PID 4460 wrote to memory of 804 4460 server.exe netsh.exe PID 4460 wrote to memory of 804 4460 server.exe netsh.exe PID 4460 wrote to memory of 804 4460 server.exe netsh.exe PID 4460 wrote to memory of 3092 4460 server.exe netsh.exe PID 4460 wrote to memory of 3092 4460 server.exe netsh.exe PID 4460 wrote to memory of 3092 4460 server.exe netsh.exe PID 4460 wrote to memory of 4052 4460 server.exe netsh.exe PID 4460 wrote to memory of 4052 4460 server.exe netsh.exe PID 4460 wrote to memory of 4052 4460 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe"C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.logFilesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exeFilesize
93KB
MD56633e4a02ef0a596391274133458fe08
SHA1194b28b1494dd31941e2404094034a55062fdc86
SHA256af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7
SHA512449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5b66e20886f9675fe4dbf430ea2d0bf8d
SHA12e676da72201e6e4482e00b300511900c6aee5a0
SHA256899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870
-
memory/316-133-0x0000000000000000-mapping.dmp
-
memory/316-147-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/316-137-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/804-144-0x0000000000000000-mapping.dmp
-
memory/3092-145-0x0000000000000000-mapping.dmp
-
memory/4052-146-0x0000000000000000-mapping.dmp
-
memory/4460-138-0x0000000000000000-mapping.dmp
-
memory/4460-143-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4460-148-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4644-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4644-136-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB