Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 15:02
Behavioral task
behavioral1
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
13715a69c1f82961fa3d3205b9368c83.exe
Resource
win10v2004-20220901-en
General
-
Target
13715a69c1f82961fa3d3205b9368c83.exe
-
Size
27KB
-
MD5
13715a69c1f82961fa3d3205b9368c83
-
SHA1
3b15a0c5fb6a177e12b3de81c7fc30dfda58555a
-
SHA256
0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
-
SHA512
f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
SSDEEP
384:5L96uj/+AU9038hfOexuaP39hRnMZAQk93vmhm7UMKmIEecKdbXTzm9bVhcam671:JE0mkspJtyZA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
2.tcp.eu.ngrok.io:12633
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 2364 Payload.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13715a69c1f82961fa3d3205b9368c83.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 13715a69c1f82961fa3d3205b9368c83.exe -
Drops startup file 4 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 13715a69c1f82961fa3d3205b9368c83.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 13715a69c1f82961fa3d3205b9368c83.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
13715a69c1f82961fa3d3205b9368c83.exedescription pid process target process PID 3780 wrote to memory of 2364 3780 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 3780 wrote to memory of 2364 3780 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 3780 wrote to memory of 2364 3780 13715a69c1f82961fa3d3205b9368c83.exe Payload.exe PID 3780 wrote to memory of 3748 3780 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 3780 wrote to memory of 3748 3780 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe PID 3780 wrote to memory of 3748 3780 13715a69c1f82961fa3d3205b9368c83.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeFilesize
27KB
MD513715a69c1f82961fa3d3205b9368c83
SHA13b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA2560fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5ccb4adf1a003df614fb1f8039d1be10a
SHA136d91fb76a2ef18acaf219327ff316a8a95d83b6
SHA25684ad0844d225991376347b926b55bcde878f85b6f521fc3dc17e5e657663b9bf
SHA5126fafee22e24d591ad56f5d41bbaeeae065aa81fac92e82372bba1288970926d155374e99e60aeaee7ba86e5ace112ad66e7f1169b4a940e50e0a849faec87184
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5e4c1ab0952ee24e83a8338bd593e7b0a
SHA1108f2750a77739f5318574aa65287fb9a36fcbb6
SHA2566315a99f3c3f09f568c15aed16b9348da10a8b8b1f3e43322232350fb64f4f59
SHA512b189f4cb4438e1017d2ca21dd432acf987f57ce48f141f47a1acde2bf813f35742b8180cc4c48d363d609b91697c4f7c0293c088101f79f82bb66e96422dd7e6
-
memory/2364-133-0x0000000000000000-mapping.dmp
-
memory/2364-140-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/2364-141-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/3748-136-0x0000000000000000-mapping.dmp
-
memory/3780-132-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/3780-138-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB