Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 22:43
Static task
static1
Behavioral task
behavioral1
Sample
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe
Resource
win10v2004-20220812-en
General
-
Target
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe
-
Size
401KB
-
MD5
6cbeabe00f98e2a1eb6c2159da8647c0
-
SHA1
14c51d82b59515780f06e7acea79898a1eb97e4b
-
SHA256
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863
-
SHA512
d225078fd9a9caf65d96079febb069fb5dfe3dfe94df3f1a5e7a87180c409845c039c2f92ca2cb0ae40e6de64378d1b961131cef274ba7fe6026510f4c382786
-
SSDEEP
12288:sO7/LXS+Oyxq2pI9MslEBQlvDmlodEK6D:sODjvOJ2p07lEB0D5QD
Malware Config
Extracted
njrat
0.7d
HacKed
realhacker444.ddns.net:1177
b499b6c3b19405ce76b9bdafb1a7698e
-
reg_key
b499b6c3b19405ce76b9bdafb1a7698e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
1.EXEEncryptado.exesvghost.exepid process 4808 1.EXE 32 Encryptado.exe 4788 svghost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe1.EXEEncryptado.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Encryptado.exe -
Drops startup file 2 IoCs
Processes:
svghost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b499b6c3b19405ce76b9bdafb1a7698e.exe svghost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b499b6c3b19405ce76b9bdafb1a7698e.exe svghost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svghost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b499b6c3b19405ce76b9bdafb1a7698e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svghost.exe\" .." svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b499b6c3b19405ce76b9bdafb1a7698e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svghost.exe\" .." svghost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1964 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svghost.exedescription pid process Token: SeDebugPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe Token: 33 4788 svghost.exe Token: SeIncBasePriorityPrivilege 4788 svghost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe1.EXEEncryptado.exesvghost.exedescription pid process target process PID 4924 wrote to memory of 4808 4924 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe 1.EXE PID 4924 wrote to memory of 4808 4924 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe 1.EXE PID 4924 wrote to memory of 4808 4924 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe 1.EXE PID 4924 wrote to memory of 1964 4924 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe NOTEPAD.EXE PID 4924 wrote to memory of 1964 4924 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe NOTEPAD.EXE PID 4924 wrote to memory of 1964 4924 2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe NOTEPAD.EXE PID 4808 wrote to memory of 32 4808 1.EXE Encryptado.exe PID 4808 wrote to memory of 32 4808 1.EXE Encryptado.exe PID 4808 wrote to memory of 32 4808 1.EXE Encryptado.exe PID 32 wrote to memory of 4788 32 Encryptado.exe svghost.exe PID 32 wrote to memory of 4788 32 Encryptado.exe svghost.exe PID 32 wrote to memory of 4788 32 Encryptado.exe svghost.exe PID 4788 wrote to memory of 1572 4788 svghost.exe netsh.exe PID 4788 wrote to memory of 1572 4788 svghost.exe netsh.exe PID 4788 wrote to memory of 1572 4788 svghost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe"C:\Users\Admin\AppData\Local\Temp\2ae62c1be9736eb8820a9ab2b9b599807b0ddd23278e052823ee053f8d4fb863.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.EXE"C:\Users\Admin\AppData\Local\Temp\1.EXE"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svghost.exe"C:\Users\Admin\AppData\Local\Temp\svghost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svghost.exe" "svghost.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2.TXT2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.EXEFilesize
674KB
MD5814c59387dc6d97d3ebf61693371104b
SHA1725463cdb078559bbd6e5bf5a9e361a57a4a2c44
SHA256e47a3c9dbb1131f28342148bda299300696bf2229181b56ff1a345e4d58b2861
SHA512055148ce48df58555a81d93a2979e81200e82f7d56a5a114e21fe1536b7951b65995f4b262d5db0fe5dd0717f74165054474aaab41794834ae437c1368222d74
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
674KB
MD5814c59387dc6d97d3ebf61693371104b
SHA1725463cdb078559bbd6e5bf5a9e361a57a4a2c44
SHA256e47a3c9dbb1131f28342148bda299300696bf2229181b56ff1a345e4d58b2861
SHA512055148ce48df58555a81d93a2979e81200e82f7d56a5a114e21fe1536b7951b65995f4b262d5db0fe5dd0717f74165054474aaab41794834ae437c1368222d74
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exeFilesize
23KB
MD512fa2f8470679f376c5b7f54e2e04cb9
SHA143b1d45829c6856673e29a692282e7881fb83ee4
SHA2566e8b9a1c6793cbd56e67866f01caeccdd1503b6c4886feb2f44fd7be4d63503e
SHA51220cb96b00b6d719bb7374dc1fd75ba301c5c8aaaeb7191c456c4224b80212d58af0dca5d3fdf0e59db6e5a580b5697bd880698da0fb6d3e5ac0f5a05ab0be02a
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exeFilesize
23KB
MD512fa2f8470679f376c5b7f54e2e04cb9
SHA143b1d45829c6856673e29a692282e7881fb83ee4
SHA2566e8b9a1c6793cbd56e67866f01caeccdd1503b6c4886feb2f44fd7be4d63503e
SHA51220cb96b00b6d719bb7374dc1fd75ba301c5c8aaaeb7191c456c4224b80212d58af0dca5d3fdf0e59db6e5a580b5697bd880698da0fb6d3e5ac0f5a05ab0be02a
-
C:\Users\Admin\AppData\Local\Temp\svghost.exeFilesize
23KB
MD512fa2f8470679f376c5b7f54e2e04cb9
SHA143b1d45829c6856673e29a692282e7881fb83ee4
SHA2566e8b9a1c6793cbd56e67866f01caeccdd1503b6c4886feb2f44fd7be4d63503e
SHA51220cb96b00b6d719bb7374dc1fd75ba301c5c8aaaeb7191c456c4224b80212d58af0dca5d3fdf0e59db6e5a580b5697bd880698da0fb6d3e5ac0f5a05ab0be02a
-
C:\Users\Admin\AppData\Local\Temp\svghost.exeFilesize
23KB
MD512fa2f8470679f376c5b7f54e2e04cb9
SHA143b1d45829c6856673e29a692282e7881fb83ee4
SHA2566e8b9a1c6793cbd56e67866f01caeccdd1503b6c4886feb2f44fd7be4d63503e
SHA51220cb96b00b6d719bb7374dc1fd75ba301c5c8aaaeb7191c456c4224b80212d58af0dca5d3fdf0e59db6e5a580b5697bd880698da0fb6d3e5ac0f5a05ab0be02a
-
memory/32-142-0x0000000000000000-mapping.dmp
-
memory/32-145-0x000000006EF70000-0x000000006F521000-memory.dmpFilesize
5.7MB
-
memory/32-150-0x000000006EF70000-0x000000006F521000-memory.dmpFilesize
5.7MB
-
memory/1572-152-0x0000000000000000-mapping.dmp
-
memory/1964-135-0x0000000000000000-mapping.dmp
-
memory/4788-146-0x0000000000000000-mapping.dmp
-
memory/4788-149-0x000000006EF70000-0x000000006F521000-memory.dmpFilesize
5.7MB
-
memory/4788-151-0x000000006EF70000-0x000000006F521000-memory.dmpFilesize
5.7MB
-
memory/4808-138-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/4808-137-0x0000000004B90000-0x0000000004C2C000-memory.dmpFilesize
624KB
-
memory/4808-132-0x0000000000000000-mapping.dmp
-
memory/4808-136-0x0000000000240000-0x00000000002EA000-memory.dmpFilesize
680KB
-
memory/4808-139-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/4808-141-0x0000000004EE0000-0x0000000004F36000-memory.dmpFilesize
344KB
-
memory/4808-140-0x0000000004B50000-0x0000000004B5A000-memory.dmpFilesize
40KB