Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 19:44
Behavioral task
behavioral1
Sample
0x000a0000000122f5-56.exe
Resource
win7-20220812-en
General
-
Target
0x000a0000000122f5-56.exe
-
Size
23KB
-
MD5
ffa4d67e73388d5573b9e55a029800ab
-
SHA1
929760e8f38433556280bc348609273e1d2d25e1
-
SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
-
SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
SSDEEP
384:2sqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZNHhy:Bf65K2Yf1jKRpcnumo
Malware Config
Extracted
njrat
0.7d
HacKed
0.tcp.ngrok.io:17413
ed0dbeeaea86b7db8fabde04117ddf70
-
reg_key
ed0dbeeaea86b7db8fabde04117ddf70
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1104 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x000a0000000122f5-56.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0x000a0000000122f5-56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe Token: 33 1104 server.exe Token: SeIncBasePriorityPrivilege 1104 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x000a0000000122f5-56.exeserver.exedescription pid process target process PID 3424 wrote to memory of 1104 3424 0x000a0000000122f5-56.exe server.exe PID 3424 wrote to memory of 1104 3424 0x000a0000000122f5-56.exe server.exe PID 3424 wrote to memory of 1104 3424 0x000a0000000122f5-56.exe server.exe PID 1104 wrote to memory of 1272 1104 server.exe netsh.exe PID 1104 wrote to memory of 1272 1104 server.exe netsh.exe PID 1104 wrote to memory of 1272 1104 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5ffa4d67e73388d5573b9e55a029800ab
SHA1929760e8f38433556280bc348609273e1d2d25e1
SHA2565cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5ffa4d67e73388d5573b9e55a029800ab
SHA1929760e8f38433556280bc348609273e1d2d25e1
SHA2565cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
-
memory/1104-133-0x0000000000000000-mapping.dmp
-
memory/1104-137-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/1104-139-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/1272-138-0x0000000000000000-mapping.dmp
-
memory/3424-132-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3424-136-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB