Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 09:10
Behavioral task
behavioral1
Sample
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe
Resource
win7-20220812-en
General
-
Target
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe
-
Size
66KB
-
MD5
678736f0c01d5772c5fe8f17c2a2f0a0
-
SHA1
6fd5092205a163cdd409a28a321221d4e12ebc96
-
SHA256
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2
-
SHA512
8d9f62978cf91e597d4a8e19e2747a5d70fcbb42deaf3c4036a0c15454a959f59ca2350f4d30ce55cf09bd25f0cdf7f5004240d24c9ba374d72a72728fb21830
-
SSDEEP
1536:i7hWVUJZKhG29jD4Uj2qkSZZZ3gdt7j2qkSZZZD:sWVcQA29djYUG7jYi
Malware Config
Extracted
njrat
0.6.4
HacKed
redwaneboudaa.zapto.org:1177
6041060f82ac9ecc2165d44257f9aec8
-
reg_key
6041060f82ac9ecc2165d44257f9aec8
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rida.exepid process 844 rida.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
rida.exepid process 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe 844 rida.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rida.exedescription pid process Token: SeDebugPrivilege 844 rida.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exerida.exedescription pid process target process PID 816 wrote to memory of 844 816 8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe rida.exe PID 816 wrote to memory of 844 816 8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe rida.exe PID 816 wrote to memory of 844 816 8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe rida.exe PID 844 wrote to memory of 4512 844 rida.exe netsh.exe PID 844 wrote to memory of 4512 844 rida.exe netsh.exe PID 844 wrote to memory of 4512 844 rida.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe"C:\Users\Admin\AppData\Local\Temp\8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rida.exe"C:\Users\Admin\AppData\Local\Temp\rida.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\rida.exe" "rida.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rida.exeFilesize
66KB
MD5678736f0c01d5772c5fe8f17c2a2f0a0
SHA16fd5092205a163cdd409a28a321221d4e12ebc96
SHA2568b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2
SHA5128d9f62978cf91e597d4a8e19e2747a5d70fcbb42deaf3c4036a0c15454a959f59ca2350f4d30ce55cf09bd25f0cdf7f5004240d24c9ba374d72a72728fb21830
-
C:\Users\Admin\AppData\Local\Temp\rida.exeFilesize
66KB
MD5678736f0c01d5772c5fe8f17c2a2f0a0
SHA16fd5092205a163cdd409a28a321221d4e12ebc96
SHA2568b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2
SHA5128d9f62978cf91e597d4a8e19e2747a5d70fcbb42deaf3c4036a0c15454a959f59ca2350f4d30ce55cf09bd25f0cdf7f5004240d24c9ba374d72a72728fb21830
-
memory/816-132-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/816-137-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/844-133-0x0000000000000000-mapping.dmp
-
memory/844-138-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/844-139-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/4512-136-0x0000000000000000-mapping.dmp