Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2022 23:01
Behavioral task
behavioral1
Sample
0448a1129ee3c9198ea9e4e2d24da6e4.exe
Resource
win7-20220901-en
General
-
Target
0448a1129ee3c9198ea9e4e2d24da6e4.exe
-
Size
93KB
-
MD5
0448a1129ee3c9198ea9e4e2d24da6e4
-
SHA1
e77779889bf71efd4f7f9c0e87b07a970b50179f
-
SHA256
9c59f5c307a254394410941d0053fd57d97478e5900c04fc161d818a7b564d7d
-
SHA512
7108aaa62b8a3c65d8a290017441c5f8c47ab34a9a1edbe83f6600f757ee1a5e37bd5cfeae1e3a1a99079ec126891efbf62ccdf797a8ae04c64405984c55faec
-
SSDEEP
768:hY3AUfhWXxyFcxovUKUJuROprXtWN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3EKZsGdpx:TU5WhIUKcuOJhPhBjEwzGi1dDDDhgS
Malware Config
Extracted
njrat
0.7d
HacKed
NC50Y3AuZXUubmdyb2suaW8Strik:MTQ1NDU=
1f895475f5ddc401fae8d2be35829e62
-
reg_key
1f895475f5ddc401fae8d2be35829e62
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1484 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0448a1129ee3c9198ea9e4e2d24da6e4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0448a1129ee3c9198ea9e4e2d24da6e4.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1484 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe Token: 33 1484 server.exe Token: SeIncBasePriorityPrivilege 1484 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0448a1129ee3c9198ea9e4e2d24da6e4.exeserver.exedescription pid process target process PID 1952 wrote to memory of 1484 1952 0448a1129ee3c9198ea9e4e2d24da6e4.exe server.exe PID 1952 wrote to memory of 1484 1952 0448a1129ee3c9198ea9e4e2d24da6e4.exe server.exe PID 1952 wrote to memory of 1484 1952 0448a1129ee3c9198ea9e4e2d24da6e4.exe server.exe PID 1484 wrote to memory of 4964 1484 server.exe netsh.exe PID 1484 wrote to memory of 4964 1484 server.exe netsh.exe PID 1484 wrote to memory of 4964 1484 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0448a1129ee3c9198ea9e4e2d24da6e4.exe"C:\Users\Admin\AppData\Local\Temp\0448a1129ee3c9198ea9e4e2d24da6e4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5c6bdbc9d86009ccf7e8de878c9603213
SHA12a4b8716f978f2d107bcd8294b486a5ee45afe6e
SHA25636a067fdfcee95eb270f0b72e3b9e40d52c907d749fb9a8490d82f8ee56b29eb
SHA512c42a52cd8837e2533b3d5ec97639f0c94287e3d7a6c73635c21df50eba8483b60df15bf262a308836875cd9afed504e7f98a2f6b254e4181fe548b1853d42256
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD50448a1129ee3c9198ea9e4e2d24da6e4
SHA1e77779889bf71efd4f7f9c0e87b07a970b50179f
SHA2569c59f5c307a254394410941d0053fd57d97478e5900c04fc161d818a7b564d7d
SHA5127108aaa62b8a3c65d8a290017441c5f8c47ab34a9a1edbe83f6600f757ee1a5e37bd5cfeae1e3a1a99079ec126891efbf62ccdf797a8ae04c64405984c55faec
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD50448a1129ee3c9198ea9e4e2d24da6e4
SHA1e77779889bf71efd4f7f9c0e87b07a970b50179f
SHA2569c59f5c307a254394410941d0053fd57d97478e5900c04fc161d818a7b564d7d
SHA5127108aaa62b8a3c65d8a290017441c5f8c47ab34a9a1edbe83f6600f757ee1a5e37bd5cfeae1e3a1a99079ec126891efbf62ccdf797a8ae04c64405984c55faec
-
memory/1484-133-0x0000000000000000-mapping.dmp
-
memory/1484-137-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/1484-140-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/1952-132-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/1952-136-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4964-139-0x0000000000000000-mapping.dmp