Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 22:02
Behavioral task
behavioral1
Sample
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
Resource
win10v2004-20220812-en
General
-
Target
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
-
Size
40KB
-
MD5
6a7b34aabcd7482e0c6acb99fd249d20
-
SHA1
25a6b8074e1323cff36d522c62d1121e7ebfc749
-
SHA256
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa
-
SHA512
482c4a801e35c236161cae4b5b2042e9f58cd5a7e2f61a9e21e030a73bb1ca3f4584869924f2da210b1b050b8d18876b0914c9f403ee86ad36b86be46f7ec4ae
-
SSDEEP
384:xoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZSNl5:m7O89p2rRpcnuBl5
Malware Config
Extracted
njrat
0.7d
HacKed
momodz.no-ip.biz:1177
de24e18567ad7e555a79ab8b2c977563
-
reg_key
de24e18567ad7e555a79ab8b2c977563
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalWlKRdrugdz.exeserver.exepid process 4900 LocalWlKRdrugdz.exe 4344 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exeLocalWlKRdrugdz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation LocalWlKRdrugdz.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de24e18567ad7e555a79ab8b2c977563.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de24e18567ad7e555a79ab8b2c977563.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\de24e18567ad7e555a79ab8b2c977563 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\de24e18567ad7e555a79ab8b2c977563 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe Token: 33 4344 server.exe Token: SeIncBasePriorityPrivilege 4344 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exeLocalWlKRdrugdz.exeserver.exedescription pid process target process PID 4816 wrote to memory of 4900 4816 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 4816 wrote to memory of 4900 4816 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 4816 wrote to memory of 4900 4816 f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe LocalWlKRdrugdz.exe PID 4900 wrote to memory of 4344 4900 LocalWlKRdrugdz.exe server.exe PID 4900 wrote to memory of 4344 4900 LocalWlKRdrugdz.exe server.exe PID 4900 wrote to memory of 4344 4900 LocalWlKRdrugdz.exe server.exe PID 4344 wrote to memory of 3896 4344 server.exe netsh.exe PID 4344 wrote to memory of 3896 4344 server.exe netsh.exe PID 4344 wrote to memory of 3896 4344 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe"C:\Users\Admin\AppData\Local\Temp\f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalWlKRdrugdz.exe"C:\Users\Admin\AppData\LocalWlKRdrugdz.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalWlKRdrugdz.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
C:\Users\Admin\AppData\LocalWlKRdrugdz.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d25bf8c4fd693697735916736f012495
SHA19c774d2da0ab6370a426a841079798be46e45051
SHA256f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df
SHA512a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f
-
memory/3896-142-0x0000000000000000-mapping.dmp
-
memory/4344-137-0x0000000000000000-mapping.dmp
-
memory/4344-141-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4344-143-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4816-132-0x00007FFC84F50000-0x00007FFC85986000-memory.dmpFilesize
10.2MB
-
memory/4900-133-0x0000000000000000-mapping.dmp
-
memory/4900-136-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4900-140-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB