Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 09:08
Behavioral task
behavioral1
Sample
ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe
Resource
win10v2004-20220812-en
General
-
Target
ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe
-
Size
23KB
-
MD5
4a7350d8df84592250f4f14336615c50
-
SHA1
26f145eff62c8673258728ac12d74f9a978f43c8
-
SHA256
ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0
-
SHA512
18ec1431f8e872b36a92a0f55d2ecec18416c43221f5d3f8c3bb5758f18b3be8950afad6c7f76748d493978a9bfe3fbceb88ddb2e516a6f0c06c4e7628b1b17b
-
SSDEEP
384:OcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZVn:B30py6vhxaRpcnui
Malware Config
Extracted
njrat
0.7d
HacKed
nbvnf.no-ip.biz:12
e45723828a0dec61146911ba55b2f1c5
-
reg_key
e45723828a0dec61146911ba55b2f1c5
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windws.exepid process 3764 windws.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windws.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e45723828a0dec61146911ba55b2f1c5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windws.exe\" .." windws.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e45723828a0dec61146911ba55b2f1c5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windws.exe\" .." windws.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
windws.exedescription pid process Token: SeDebugPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe Token: 33 3764 windws.exe Token: SeIncBasePriorityPrivilege 3764 windws.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exewindws.exedescription pid process target process PID 4872 wrote to memory of 3764 4872 ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe windws.exe PID 4872 wrote to memory of 3764 4872 ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe windws.exe PID 4872 wrote to memory of 3764 4872 ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe windws.exe PID 3764 wrote to memory of 1056 3764 windws.exe netsh.exe PID 3764 wrote to memory of 1056 3764 windws.exe netsh.exe PID 3764 wrote to memory of 1056 3764 windws.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe"C:\Users\Admin\AppData\Local\Temp\ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windws.exe"C:\Users\Admin\AppData\Local\Temp\windws.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windws.exe" "windws.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\windws.exeFilesize
23KB
MD54a7350d8df84592250f4f14336615c50
SHA126f145eff62c8673258728ac12d74f9a978f43c8
SHA256ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0
SHA51218ec1431f8e872b36a92a0f55d2ecec18416c43221f5d3f8c3bb5758f18b3be8950afad6c7f76748d493978a9bfe3fbceb88ddb2e516a6f0c06c4e7628b1b17b
-
C:\Users\Admin\AppData\Local\Temp\windws.exeFilesize
23KB
MD54a7350d8df84592250f4f14336615c50
SHA126f145eff62c8673258728ac12d74f9a978f43c8
SHA256ed1d5c00dd75ebb199ba5687c9350ea26a59d7f7ce4cffe507de2dac984a63d0
SHA51218ec1431f8e872b36a92a0f55d2ecec18416c43221f5d3f8c3bb5758f18b3be8950afad6c7f76748d493978a9bfe3fbceb88ddb2e516a6f0c06c4e7628b1b17b
-
memory/1056-139-0x0000000000000000-mapping.dmp
-
memory/3764-134-0x0000000000000000-mapping.dmp
-
memory/3764-137-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/3764-140-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/4872-132-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/4872-133-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB
-
memory/4872-138-0x0000000074AB0000-0x0000000075061000-memory.dmpFilesize
5.7MB