Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2022 06:01
Behavioral task
behavioral1
Sample
47bea8a28b1e81e3342d594fc57acd8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
47bea8a28b1e81e3342d594fc57acd8e.exe
Resource
win10v2004-20220812-en
General
-
Target
47bea8a28b1e81e3342d594fc57acd8e.exe
-
Size
27KB
-
MD5
47bea8a28b1e81e3342d594fc57acd8e
-
SHA1
d301e8985e53b7baabf9b45df087a017e3817742
-
SHA256
8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
-
SHA512
d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
SSDEEP
384:2LBH6uj/+AU9038hfOexuaP39hRnMYAQk93vmhm7UMKmIEecKdbXTzm9bVhcaL62:wBa0mkspJtyYA/vMHTi9bD
Malware Config
Extracted
njrat
v4.0
HacKed
216.250.251.104:2028
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 1936 Payload.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 47bea8a28b1e81e3342d594fc57acd8e.exe -
Drops startup file 2 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 47bea8a28b1e81e3342d594fc57acd8e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" 47bea8a28b1e81e3342d594fc57acd8e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe Token: 33 1936 Payload.exe Token: SeIncBasePriorityPrivilege 1936 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
47bea8a28b1e81e3342d594fc57acd8e.exedescription pid process target process PID 3172 wrote to memory of 1936 3172 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 3172 wrote to memory of 1936 3172 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 3172 wrote to memory of 1936 3172 47bea8a28b1e81e3342d594fc57acd8e.exe Payload.exe PID 3172 wrote to memory of 4036 3172 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe PID 3172 wrote to memory of 4036 3172 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe PID 3172 wrote to memory of 4036 3172 47bea8a28b1e81e3342d594fc57acd8e.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\47bea8a28b1e81e3342d594fc57acd8e.exe"C:\Users\Admin\AppData\Local\Temp\47bea8a28b1e81e3342d594fc57acd8e.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c87a0c01932e2b874bc3b392253a663a
SHA151422af62636aaaedfccbe8e4f49ffc027a90989
SHA2568a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c
SHA512ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5586210e5f1de944d08dd141fcadd408a
SHA10b539a283bfe6c23839a5c44f668af3ae205288d
SHA25690a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742
SHA5124a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD547bea8a28b1e81e3342d594fc57acd8e
SHA1d301e8985e53b7baabf9b45df087a017e3817742
SHA2568f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
SHA512d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD547bea8a28b1e81e3342d594fc57acd8e
SHA1d301e8985e53b7baabf9b45df087a017e3817742
SHA2568f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
SHA512d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
-
memory/1936-135-0x0000000000000000-mapping.dmp
-
memory/1936-141-0x0000000006380000-0x0000000006412000-memory.dmpFilesize
584KB
-
memory/1936-142-0x0000000006350000-0x000000000635A000-memory.dmpFilesize
40KB
-
memory/1936-143-0x0000000006590000-0x00000000065F6000-memory.dmpFilesize
408KB
-
memory/3172-132-0x0000000000F80000-0x0000000000F8E000-memory.dmpFilesize
56KB
-
memory/3172-133-0x0000000005900000-0x000000000599C000-memory.dmpFilesize
624KB
-
memory/3172-134-0x0000000006760000-0x0000000006D04000-memory.dmpFilesize
5.6MB
-
memory/4036-138-0x0000000000000000-mapping.dmp