Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 15:02
Behavioral task
behavioral1
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win10v2004-20220812-en
General
-
Target
13715a69c1f82961fa3d3205b9368c83.exe
-
Size
27KB
-
MD5
13715a69c1f82961fa3d3205b9368c83
-
SHA1
3b15a0c5fb6a177e12b3de81c7fc30dfda58555a
-
SHA256
0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
-
SHA512
f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
SSDEEP
384:5L96uj/+AU9038hfOexuaP39hRnMZAQk93vmhm7UMKmIEecKdbXTzm9bVhcam671:JE0mkspJtyZA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
2.tcp.eu.ngrok.io:12633
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 4320 Payload.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13715a69c1f82961fa3d3205b9368c83.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 13715a69c1f82961fa3d3205b9368c83.exe -
Drops startup file 4 IoCs
Processes:
Payload.exe13715a69c1f82961fa3d3205b9368c83.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 13715a69c1f82961fa3d3205b9368c83.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 13715a69c1f82961fa3d3205b9368c83.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe Token: 33 4320 Payload.exe Token: SeIncBasePriorityPrivilege 4320 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exedescription pid process target process PID 2472 wrote to memory of 4320 2472 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 2472 wrote to memory of 4320 2472 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 2472 wrote to memory of 4320 2472 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 2472 wrote to memory of 388 2472 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 2472 wrote to memory of 388 2472 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 2472 wrote to memory of 388 2472 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c87a0c01932e2b874bc3b392253a663a
SHA151422af62636aaaedfccbe8e4f49ffc027a90989
SHA2568a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c
SHA512ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5586210e5f1de944d08dd141fcadd408a
SHA10b539a283bfe6c23839a5c44f668af3ae205288d
SHA25690a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742
SHA5124a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6
-
memory/388-137-0x0000000000000000-mapping.dmp
-
memory/2472-132-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2472-133-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2472-139-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4320-134-0x0000000000000000-mapping.dmp
-
memory/4320-141-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4320-142-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB