Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2022 12:22
Behavioral task
behavioral1
Sample
255e87bd4a3dcd9a9029d28789618f55.exe
Resource
win7-20220812-en
General
-
Target
255e87bd4a3dcd9a9029d28789618f55.exe
-
Size
23KB
-
MD5
255e87bd4a3dcd9a9029d28789618f55
-
SHA1
bfe289ecba86b3685be8092110deb54556824e6f
-
SHA256
e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
-
SHA512
6e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
SSDEEP
384:n8aY1ia0N/IH+WUiWiLcXyUTly2Rc87po6ngB8W+tqlf5mRvR6JZlbw8hqIusZzM:m1Re/E+WUiW6ci6NR7tZRpcnut
Malware Config
Extracted
njrat
0.7d
HacKed
51.68.160.90:5552
e1c9d16af5e1738b14f272c73a4cddae
-
reg_key
e1c9d16af5e1738b14f272c73a4cddae
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Host Process for Windows Tasks.exepid process 2800 Host Process for Windows Tasks.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
255e87bd4a3dcd9a9029d28789618f55.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 255e87bd4a3dcd9a9029d28789618f55.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 4808 dw20.exe Token: SeBackupPrivilege 4808 dw20.exe Token: SeBackupPrivilege 4808 dw20.exe Token: SeBackupPrivilege 4808 dw20.exe Token: SeBackupPrivilege 4808 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
255e87bd4a3dcd9a9029d28789618f55.exeHost Process for Windows Tasks.exedescription pid process target process PID 2056 wrote to memory of 2800 2056 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 2056 wrote to memory of 2800 2056 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 2056 wrote to memory of 2800 2056 255e87bd4a3dcd9a9029d28789618f55.exe Host Process for Windows Tasks.exe PID 2800 wrote to memory of 4808 2800 Host Process for Windows Tasks.exe dw20.exe PID 2800 wrote to memory of 4808 2800 Host Process for Windows Tasks.exe dw20.exe PID 2800 wrote to memory of 4808 2800 Host Process for Windows Tasks.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\255e87bd4a3dcd9a9029d28789618f55.exe"C:\Users\Admin\AppData\Local\Temp\255e87bd4a3dcd9a9029d28789618f55.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe"C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7843⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exeFilesize
23KB
MD5255e87bd4a3dcd9a9029d28789618f55
SHA1bfe289ecba86b3685be8092110deb54556824e6f
SHA256e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
SHA5126e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exeFilesize
23KB
MD5255e87bd4a3dcd9a9029d28789618f55
SHA1bfe289ecba86b3685be8092110deb54556824e6f
SHA256e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
SHA5126e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
-
memory/2056-132-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/2056-133-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/2056-139-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/2800-134-0x0000000000000000-mapping.dmp
-
memory/2800-138-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/4808-137-0x0000000000000000-mapping.dmp