Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 17:42
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe
-
Size
37KB
-
MD5
8eedc01c11b251481dec59e5308dccc3
-
SHA1
24bf069e9f2a1f12aefa391674ed82059386b0aa
-
SHA256
0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
-
SHA512
52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc
-
SSDEEP
384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
Malware Config
Extracted
njrat
im523
mediaget
kazya1.hopto.org:1470
a797c6ca3f5e7aff8fa1149c47fe9466
-
reg_key
a797c6ca3f5e7aff8fa1149c47fe9466
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mediaget.exepid process 4800 mediaget.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe -
Drops startup file 2 IoCs
Processes:
mediaget.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe mediaget.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe mediaget.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mediaget.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." mediaget.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." mediaget.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mediaget.exepid process 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe 4800 mediaget.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mediaget.exepid process 4800 mediaget.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
mediaget.exedescription pid process Token: SeDebugPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe Token: 33 4800 mediaget.exe Token: SeIncBasePriorityPrivilege 4800 mediaget.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exemediaget.exedescription pid process target process PID 448 wrote to memory of 4800 448 HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe mediaget.exe PID 448 wrote to memory of 4800 448 HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe mediaget.exe PID 448 wrote to memory of 4800 448 HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe mediaget.exe PID 4800 wrote to memory of 4824 4800 mediaget.exe netsh.exe PID 4800 wrote to memory of 4824 4800 mediaget.exe netsh.exe PID 4800 wrote to memory of 4824 4800 mediaget.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mediaget.exe"C:\Users\Admin\AppData\Roaming\mediaget.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mediaget.exeFilesize
37KB
MD58eedc01c11b251481dec59e5308dccc3
SHA124bf069e9f2a1f12aefa391674ed82059386b0aa
SHA2560184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA51252388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc
-
C:\Users\Admin\AppData\Roaming\mediaget.exeFilesize
37KB
MD58eedc01c11b251481dec59e5308dccc3
SHA124bf069e9f2a1f12aefa391674ed82059386b0aa
SHA2560184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA51252388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc
-
memory/448-132-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/448-133-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/448-137-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4800-134-0x0000000000000000-mapping.dmp
-
memory/4800-138-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4800-140-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4824-139-0x0000000000000000-mapping.dmp