Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 19:21
Behavioral task
behavioral1
Sample
057d62261912947a1f18f01aa7afd23f.exe
Resource
win7-20220812-en
General
-
Target
057d62261912947a1f18f01aa7afd23f.exe
-
Size
37KB
-
MD5
057d62261912947a1f18f01aa7afd23f
-
SHA1
31a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
-
SHA256
0633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
-
SHA512
7393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
SSDEEP
384:AkqIiuVjtD+P3V+y0bf2TKtvN4suKfdrAF+rMRTyN/0L+EcoinblneHQM3epzXHz:DNmV10bf2TKtClK1rM+rMRa8Nu5xt
Malware Config
Extracted
njrat
im523
HacKed
8.tcp.ngrok.io:10195
e5fb6e8df0343904c919e4379c7d6680
-
reg_key
e5fb6e8df0343904c919e4379c7d6680
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
OneTapV4.exepid process 3452 OneTapV4.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
057d62261912947a1f18f01aa7afd23f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 057d62261912947a1f18f01aa7afd23f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
OneTapV4.exedescription pid process Token: SeDebugPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe Token: 33 3452 OneTapV4.exe Token: SeIncBasePriorityPrivilege 3452 OneTapV4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
057d62261912947a1f18f01aa7afd23f.exeOneTapV4.exedescription pid process target process PID 1880 wrote to memory of 3452 1880 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 1880 wrote to memory of 3452 1880 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 1880 wrote to memory of 3452 1880 057d62261912947a1f18f01aa7afd23f.exe OneTapV4.exe PID 3452 wrote to memory of 652 3452 OneTapV4.exe netsh.exe PID 3452 wrote to memory of 652 3452 OneTapV4.exe netsh.exe PID 3452 wrote to memory of 652 3452 OneTapV4.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\057d62261912947a1f18f01aa7afd23f.exe"C:\Users\Admin\AppData\Local\Temp\057d62261912947a1f18f01aa7afd23f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OneTapV4.exe"C:\Users\Admin\AppData\Local\Temp\OneTapV4.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\OneTapV4.exe" "OneTapV4.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OneTapV4.exeFilesize
37KB
MD5057d62261912947a1f18f01aa7afd23f
SHA131a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
SHA2560633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
SHA5127393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
C:\Users\Admin\AppData\Local\Temp\OneTapV4.exeFilesize
37KB
MD5057d62261912947a1f18f01aa7afd23f
SHA131a7eb1006791f6e9ce3f92bf4c6df4cbf2b2a26
SHA2560633a748ff46014de54f04842b330746f815c669a1f6074e8beaec6b07f51937
SHA5127393f6d8ee85cc17b8a9bb0cd34c3dc1f81babf3febece1c8125e37b03044455f3081677ee3f5f730195209f8c35cd14e6692892ee36532bc938321b77570939
-
memory/652-138-0x0000000000000000-mapping.dmp
-
memory/1880-132-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/1880-137-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/3452-133-0x0000000000000000-mapping.dmp
-
memory/3452-136-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/3452-139-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB