Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 19:21
Behavioral task
behavioral1
Sample
5d6ab44634ffea26e78d0fd9e8d0c1c2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5d6ab44634ffea26e78d0fd9e8d0c1c2.exe
Resource
win10v2004-20220812-en
General
-
Target
5d6ab44634ffea26e78d0fd9e8d0c1c2.exe
-
Size
37KB
-
MD5
5d6ab44634ffea26e78d0fd9e8d0c1c2
-
SHA1
fd7b612bdb276f986aef915dd0b88ae0901d8eec
-
SHA256
198e657d4bb70f2f0a068ec656d91789d1cd3d503cf501be28828f42f3de9585
-
SHA512
aae72933b0b1ded5d9985bbda92c2e3ad608b25bd4b587bcc1f04a3fd6e29a5323c358b7b79d517c9fd7f7c85ae16f555c8981fcbffb865af921f1042041b4f8
-
SSDEEP
384:wyOMUiDHblmJEpRGyEfBffXNKCYyEAnrAF+rMRTyN/0L+EcoinblneHQM3epzXi:tOqHpR9EfBfVKClEOrM+rMRa8Nu8At
Malware Config
Extracted
njrat
im523
HacKed
4.tcp.eu.ngrok.io:17872
6f09e9bd4d46a02277608d17d43fb05b
-
reg_key
6f09e9bd4d46a02277608d17d43fb05b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 3776 explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5d6ab44634ffea26e78d0fd9e8d0c1c2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5d6ab44634ffea26e78d0fd9e8d0c1c2.exe -
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6f09e9bd4d46a02277608d17d43fb05b.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6f09e9bd4d46a02277608d17d43fb05b.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6f09e9bd4d46a02277608d17d43fb05b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6f09e9bd4d46a02277608d17d43fb05b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
explorer.exedescription ioc process File created C:\autorun.inf explorer.exe File opened for modification C:\autorun.inf explorer.exe File created D:\autorun.inf explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exepid process 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3776 explorer.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe Token: SeIncBasePriorityPrivilege 3776 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5d6ab44634ffea26e78d0fd9e8d0c1c2.exeexplorer.exedescription pid process target process PID 4532 wrote to memory of 3776 4532 5d6ab44634ffea26e78d0fd9e8d0c1c2.exe explorer.exe PID 4532 wrote to memory of 3776 4532 5d6ab44634ffea26e78d0fd9e8d0c1c2.exe explorer.exe PID 4532 wrote to memory of 3776 4532 5d6ab44634ffea26e78d0fd9e8d0c1c2.exe explorer.exe PID 3776 wrote to memory of 952 3776 explorer.exe netsh.exe PID 3776 wrote to memory of 952 3776 explorer.exe netsh.exe PID 3776 wrote to memory of 952 3776 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d6ab44634ffea26e78d0fd9e8d0c1c2.exe"C:\Users\Admin\AppData\Local\Temp\5d6ab44634ffea26e78d0fd9e8d0c1c2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
37KB
MD55d6ab44634ffea26e78d0fd9e8d0c1c2
SHA1fd7b612bdb276f986aef915dd0b88ae0901d8eec
SHA256198e657d4bb70f2f0a068ec656d91789d1cd3d503cf501be28828f42f3de9585
SHA512aae72933b0b1ded5d9985bbda92c2e3ad608b25bd4b587bcc1f04a3fd6e29a5323c358b7b79d517c9fd7f7c85ae16f555c8981fcbffb865af921f1042041b4f8
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
37KB
MD55d6ab44634ffea26e78d0fd9e8d0c1c2
SHA1fd7b612bdb276f986aef915dd0b88ae0901d8eec
SHA256198e657d4bb70f2f0a068ec656d91789d1cd3d503cf501be28828f42f3de9585
SHA512aae72933b0b1ded5d9985bbda92c2e3ad608b25bd4b587bcc1f04a3fd6e29a5323c358b7b79d517c9fd7f7c85ae16f555c8981fcbffb865af921f1042041b4f8
-
memory/952-138-0x0000000000000000-mapping.dmp
-
memory/3776-133-0x0000000000000000-mapping.dmp
-
memory/3776-137-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/3776-139-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/4532-132-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/4532-136-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB