Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
Resource
win7-20220901-en
General
-
Target
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
-
Size
289KB
-
MD5
61515ba9633ff41d3fa44d5ff837c460
-
SHA1
83623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
-
SHA256
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
-
SHA512
234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
SSDEEP
3072:FB/o6kBWW71YYd9mE6qTW59cbX/lqmqb/9kdR4cBtVIzKkes5RPdmDwgd4Ujepq0:Y/BC5
Malware Config
Extracted
njrat
0.6.4
HACKED
hasniimed.no-ip.biz:1177
9e07d5f15e8eb1f15f646580801c5439
-
reg_key
9e07d5f15e8eb1f15f646580801c5439
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hack.exe.exepid process 3824 hack.exe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exedescription pid process target process PID 4828 set thread context of 2812 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exehack.exe.exedescription pid process Token: SeDebugPrivilege 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe Token: SeDebugPrivilege 3824 hack.exe.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exeb9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exehack.exe.exedescription pid process target process PID 4828 wrote to memory of 2812 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 4828 wrote to memory of 2812 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 4828 wrote to memory of 2812 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 4828 wrote to memory of 2812 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 4828 wrote to memory of 2812 4828 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe PID 2812 wrote to memory of 3824 2812 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 2812 wrote to memory of 3824 2812 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 2812 wrote to memory of 3824 2812 b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe hack.exe.exe PID 3824 wrote to memory of 4848 3824 hack.exe.exe hack.exe.exe PID 3824 wrote to memory of 4848 3824 hack.exe.exe hack.exe.exe PID 3824 wrote to memory of 4848 3824 hack.exe.exe hack.exe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe"C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exeC:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeC:\Users\Admin\AppData\Local\Temp\hack.exe.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe.logFilesize
418B
MD589c8a5340eb284f551067d44e27ae8dd
SHA1d2431ae25a1ab67762a5125574f046f4c951d297
SHA25673ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b
SHA512b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
C:\Users\Admin\AppData\Local\Temp\hack.exe.exeFilesize
289KB
MD561515ba9633ff41d3fa44d5ff837c460
SHA183623fc4699e3ea9b628d1f9a5f4cdd7426c36b8
SHA256b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa
SHA512234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f
-
memory/2812-137-0x0000000000000000-mapping.dmp
-
memory/2812-138-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3824-139-0x0000000000000000-mapping.dmp
-
memory/4828-132-0x0000000000050000-0x000000000009E000-memory.dmpFilesize
312KB
-
memory/4828-133-0x0000000004AF0000-0x0000000004B8C000-memory.dmpFilesize
624KB
-
memory/4828-134-0x0000000005140000-0x00000000056E4000-memory.dmpFilesize
5.6MB
-
memory/4828-135-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/4828-136-0x0000000002500000-0x000000000250A000-memory.dmpFilesize
40KB
-
memory/4848-142-0x0000000000000000-mapping.dmp