Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 09:07
Behavioral task
behavioral1
Sample
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe
Resource
win7-20220812-en
General
-
Target
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe
-
Size
29KB
-
MD5
70403e78e612e435c81f467218ab19c0
-
SHA1
ec2408407bb925b36adf3372d83480fc67bf4986
-
SHA256
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572
-
SHA512
04fc7c62b73d26c0558592c86975e3a3eeb9fb122f13a40987bbe36470cc0002863048ea216eba0b736fd667a8730cbf0295e7895f2a36649c27d0db7e0e8a20
-
SSDEEP
384:h9gJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOf:ht7nMsanzR+2cqEDveyBKh0p29SgR4w
Malware Config
Extracted
njrat
0.6.4
HacKed
ahmed12300.no-ip.biz:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 4116 Trojan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exedescription pid process target process PID 3524 wrote to memory of 4116 3524 60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe Trojan.exe PID 3524 wrote to memory of 4116 3524 60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe Trojan.exe PID 3524 wrote to memory of 4116 3524 60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe Trojan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe"C:\Users\Admin\AppData\Local\Temp\60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD570403e78e612e435c81f467218ab19c0
SHA1ec2408407bb925b36adf3372d83480fc67bf4986
SHA25660592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572
SHA51204fc7c62b73d26c0558592c86975e3a3eeb9fb122f13a40987bbe36470cc0002863048ea216eba0b736fd667a8730cbf0295e7895f2a36649c27d0db7e0e8a20
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD570403e78e612e435c81f467218ab19c0
SHA1ec2408407bb925b36adf3372d83480fc67bf4986
SHA25660592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572
SHA51204fc7c62b73d26c0558592c86975e3a3eeb9fb122f13a40987bbe36470cc0002863048ea216eba0b736fd667a8730cbf0295e7895f2a36649c27d0db7e0e8a20
-
memory/3524-132-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/3524-137-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/3524-140-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4116-133-0x0000000000000000-mapping.dmp
-
memory/4116-136-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4116-138-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4116-139-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB