Analysis
-
max time kernel
189s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 09:07
Behavioral task
behavioral1
Sample
f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe
Resource
win10v2004-20220812-en
General
-
Target
f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe
-
Size
160KB
-
MD5
6f0b2e081e03994f35365d8040d39440
-
SHA1
14a26c7b04e8355e1952a375ee6aae73bcf266cb
-
SHA256
f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3
-
SHA512
27c2ea8dba91140e68e05aabfec580d415f0c155d0b9ea814b3415c25c29966dd81d521a1f3bcebe905954f0a2b2c8a0379325f7da53833532bf088ae8991cc1
-
SSDEEP
1536:yDl78bpZ//n1aG9IvMWfjSFWfOo57Eapn3wGxK7n3S7/j5rQyKhG29jH/A0OA8Fm:yebDOMWeFWGyjtwGYjaVsdA29M2B
Malware Config
Extracted
njrat
0.6.4
HacKed
tigano.no-ip.biz:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Tempserver.exeTrojan.exepid process 1564 Tempserver.exe 1580 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exeTempserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Tempserver.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
Trojan.exepid process 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe 1580 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 1580 Trojan.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exeTempserver.exeTrojan.exedescription pid process target process PID 1608 wrote to memory of 1564 1608 f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe Tempserver.exe PID 1608 wrote to memory of 1564 1608 f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe Tempserver.exe PID 1608 wrote to memory of 1564 1608 f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe Tempserver.exe PID 1564 wrote to memory of 1580 1564 Tempserver.exe Trojan.exe PID 1564 wrote to memory of 1580 1564 Tempserver.exe Trojan.exe PID 1564 wrote to memory of 1580 1564 Tempserver.exe Trojan.exe PID 1580 wrote to memory of 1032 1580 Trojan.exe netsh.exe PID 1580 wrote to memory of 1032 1580 Trojan.exe netsh.exe PID 1580 wrote to memory of 1032 1580 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe"C:\Users\Admin\AppData\Local\Temp\f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD54f9b9308709cb4a1d375106fef21b3f9
SHA10db654095ff7b7f3e7a48279824f89542f1e412d
SHA2562568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b
SHA512ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
29KB
MD54f9b9308709cb4a1d375106fef21b3f9
SHA10db654095ff7b7f3e7a48279824f89542f1e412d
SHA2562568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b
SHA512ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD54f9b9308709cb4a1d375106fef21b3f9
SHA10db654095ff7b7f3e7a48279824f89542f1e412d
SHA2562568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b
SHA512ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD54f9b9308709cb4a1d375106fef21b3f9
SHA10db654095ff7b7f3e7a48279824f89542f1e412d
SHA2562568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b
SHA512ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81
-
memory/1032-144-0x0000000000000000-mapping.dmp
-
memory/1564-137-0x0000000000000000-mapping.dmp
-
memory/1564-143-0x000000006F760000-0x000000006FD11000-memory.dmpFilesize
5.7MB
-
memory/1580-140-0x0000000000000000-mapping.dmp
-
memory/1580-145-0x000000006F760000-0x000000006FD11000-memory.dmpFilesize
5.7MB
-
memory/1580-146-0x000000006F760000-0x000000006FD11000-memory.dmpFilesize
5.7MB
-
memory/1608-132-0x0000000000210000-0x000000000023E000-memory.dmpFilesize
184KB
-
memory/1608-136-0x0000000004AA0000-0x0000000004AAA000-memory.dmpFilesize
40KB
-
memory/1608-135-0x0000000004BE0000-0x0000000004C7C000-memory.dmpFilesize
624KB
-
memory/1608-134-0x0000000004B20000-0x0000000004BB2000-memory.dmpFilesize
584KB
-
memory/1608-133-0x0000000005190000-0x0000000005734000-memory.dmpFilesize
5.6MB