Analysis
-
max time kernel
179s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 22:44
Behavioral task
behavioral1
Sample
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
Resource
win7-20220812-en
General
-
Target
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
-
Size
29KB
-
MD5
6653deab44e0c1931da98843a74d52b0
-
SHA1
3412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
-
SHA256
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
-
SHA512
50d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
SSDEEP
384:ugJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOZo:K7nMsanzR+2cqEDveyBKh0p29SgRuz
Malware Config
Extracted
njrat
0.6.4
HacKed
trojanhackninja.ddns.net:2015
5607fa2f78a79f2f2e754f5a87fb64d1
-
reg_key
5607fa2f78a79f2f2e754f5a87fb64d1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
eZ.exepid process 4924 eZ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exedescription pid process target process PID 3952 wrote to memory of 4924 3952 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe PID 3952 wrote to memory of 4924 3952 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe PID 3952 wrote to memory of 4924 3952 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe eZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe"C:\Users\Admin\AppData\Local\Temp\991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eZ.exe"C:\Users\Admin\AppData\Local\Temp\eZ.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eZ.exeFilesize
29KB
MD56653deab44e0c1931da98843a74d52b0
SHA13412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
SHA256991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
SHA51250d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
C:\Users\Admin\AppData\Local\Temp\eZ.exeFilesize
29KB
MD56653deab44e0c1931da98843a74d52b0
SHA13412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
SHA256991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
SHA51250d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
-
memory/3952-132-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/3952-136-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/4924-133-0x0000000000000000-mapping.dmp
-
memory/4924-137-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB