Analysis
-
max time kernel
1802s -
max time network
1834s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 21:10
Static task
static1
Behavioral task
behavioral1
Sample
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
Resource
win10-20220812-en
General
-
Target
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
-
Size
572KB
-
MD5
3c62f18b9cc44d48e2187bf66d9fae04
-
SHA1
7010bf5ae66555b4891eb32b9e7b1e2ab603bf8b
-
SHA256
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8
-
SHA512
2f82f30fbfe30b2be09538e9c0c465aa9fd71135e42cd9103b56a1ed4dbabcf1347475aa78277d7b87ade5c217e20f39896466cd3309010a81208015d1b028d6
-
SSDEEP
12288:hToPWBv/cpGrU3yXoT77F1KQSSOS14Gr59aAqg4/G:hTbBv5rUfFnSST14GrfAR/G
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOTQ3LjE4NS4yFRANSESCOjEuFRANSESCOjEx:MjAxMTE=
15c02f637abec4a65e1044f0fcf0abcc
-
reg_key
15c02f637abec4a65e1044f0fcf0abcc
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
wifi.execonhost.exesystem.exepid process 112 wifi.exe 3540 conhost.exe 4496 system.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe -
Drops startup file 2 IoCs
Processes:
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.lnk 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
conhost.exesystem.exepid process 3540 conhost.exe 4496 system.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
system.execonhost.exedescription pid process Token: SeDebugPrivilege 4496 system.exe Token: SeDebugPrivilege 3540 conhost.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe Token: 33 4496 system.exe Token: SeIncBasePriorityPrivilege 4496 system.exe Token: 33 3540 conhost.exe Token: SeIncBasePriorityPrivilege 3540 conhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wifi.exepid process 112 wifi.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.execmd.execmd.execmd.execmd.execonhost.exedescription pid process target process PID 4892 wrote to memory of 1008 4892 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe cmd.exe PID 4892 wrote to memory of 1008 4892 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe cmd.exe PID 4892 wrote to memory of 1008 4892 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe cmd.exe PID 1008 wrote to memory of 2620 1008 cmd.exe cmd.exe PID 1008 wrote to memory of 2620 1008 cmd.exe cmd.exe PID 1008 wrote to memory of 2620 1008 cmd.exe cmd.exe PID 2620 wrote to memory of 112 2620 cmd.exe wifi.exe PID 2620 wrote to memory of 112 2620 cmd.exe wifi.exe PID 2620 wrote to memory of 112 2620 cmd.exe wifi.exe PID 1008 wrote to memory of 320 1008 cmd.exe cmd.exe PID 1008 wrote to memory of 320 1008 cmd.exe cmd.exe PID 1008 wrote to memory of 320 1008 cmd.exe cmd.exe PID 320 wrote to memory of 3540 320 cmd.exe conhost.exe PID 320 wrote to memory of 3540 320 cmd.exe conhost.exe PID 320 wrote to memory of 3540 320 cmd.exe conhost.exe PID 1008 wrote to memory of 2280 1008 cmd.exe cmd.exe PID 1008 wrote to memory of 2280 1008 cmd.exe cmd.exe PID 1008 wrote to memory of 2280 1008 cmd.exe cmd.exe PID 2280 wrote to memory of 4496 2280 cmd.exe system.exe PID 2280 wrote to memory of 4496 2280 cmd.exe system.exe PID 3540 wrote to memory of 4644 3540 conhost.exe netsh.exe PID 3540 wrote to memory of 4644 3540 conhost.exe netsh.exe PID 3540 wrote to memory of 4644 3540 conhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe"C:\Users\Admin\AppData\Local\Temp\74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start wifi.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exewifi.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c start conhost.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.execonhost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe" "conhost.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd /c start system.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exesystem.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.batFilesize
72B
MD51e69f563f624286bb08f54117072090f
SHA17ba580822307de955385917a4f6db8eb08e074fa
SHA25627913eda39841546c3dfa735db3cdbbb5450a5388fca2cc2956e0ba3fdb9970b
SHA512a6e9af3f0eb0f69e2fbad033462de5b5fd423553c69379053b4626d381d754d3840e822e3eb4427d430ac8845457ae5eee7d8fa88781ae6fa4cb795f8f0a86aa
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exeFilesize
93KB
MD5c6364a0668fe7a9bac5b67fc6983586a
SHA10657571e752e99daaee81e96feddc915398ac90c
SHA25645c0da24b5057cff90fcfd896a33ec9e4c7fb75e918c70a7e19e7ea6ddc806b0
SHA512fb23c1c9282a4ab641b4f7f08f8eb71558594e6611e258bd56990a1a6bbbd7aaaf8301f20815aa7c48d05372b4ad695336ee43b346e329350fbb59f01d240e56
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exeFilesize
93KB
MD5c6364a0668fe7a9bac5b67fc6983586a
SHA10657571e752e99daaee81e96feddc915398ac90c
SHA25645c0da24b5057cff90fcfd896a33ec9e4c7fb75e918c70a7e19e7ea6ddc806b0
SHA512fb23c1c9282a4ab641b4f7f08f8eb71558594e6611e258bd56990a1a6bbbd7aaaf8301f20815aa7c48d05372b4ad695336ee43b346e329350fbb59f01d240e56
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exeFilesize
159KB
MD5ec66102014000040e566229d431aa206
SHA116ec31507cf63505535bae4c931865afa8566b39
SHA256b7c257aac74c25f3fc568f579f64155d664f59a3743a5238df279c35d6435380
SHA51274b40388a5e9f6ecadd2f43858009ccb8a1b66b799dd610bfcd7275dc0a04bc4d0ace56cc7b513a0a3c39fef4bb5a87f055fd5e22a5e6dcbd6bcdf050a2ea090
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exeFilesize
159KB
MD5ec66102014000040e566229d431aa206
SHA116ec31507cf63505535bae4c931865afa8566b39
SHA256b7c257aac74c25f3fc568f579f64155d664f59a3743a5238df279c35d6435380
SHA51274b40388a5e9f6ecadd2f43858009ccb8a1b66b799dd610bfcd7275dc0a04bc4d0ace56cc7b513a0a3c39fef4bb5a87f055fd5e22a5e6dcbd6bcdf050a2ea090
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exeFilesize
36KB
MD54b5a108918f563dab60d63a7e79b7046
SHA1cff2a9c877b786821fb8d8b9111e3724ace1de9f
SHA256a4eec1d719b512b3cbf4daff311db391269e5d63deb46f0c4da3d63f0833a3c0
SHA512a60cc3dbd33bb68d304df4e9870cf33a41e97fce9ad9c84b7d67ca89a68bf58050f1b1cea5ea14d0b299d217a8e1bf01dadd2b4b19a148346223bab11791e8a7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exeFilesize
36KB
MD54b5a108918f563dab60d63a7e79b7046
SHA1cff2a9c877b786821fb8d8b9111e3724ace1de9f
SHA256a4eec1d719b512b3cbf4daff311db391269e5d63deb46f0c4da3d63f0833a3c0
SHA512a60cc3dbd33bb68d304df4e9870cf33a41e97fce9ad9c84b7d67ca89a68bf58050f1b1cea5ea14d0b299d217a8e1bf01dadd2b4b19a148346223bab11791e8a7
-
memory/112-135-0x0000000000000000-mapping.dmp
-
memory/320-138-0x0000000000000000-mapping.dmp
-
memory/1008-132-0x0000000000000000-mapping.dmp
-
memory/2280-142-0x0000000000000000-mapping.dmp
-
memory/2620-134-0x0000000000000000-mapping.dmp
-
memory/3540-140-0x0000000000000000-mapping.dmp
-
memory/3540-150-0x0000000072740000-0x0000000072CF1000-memory.dmpFilesize
5.7MB
-
memory/3540-153-0x0000000072740000-0x0000000072CF1000-memory.dmpFilesize
5.7MB
-
memory/4496-145-0x0000000000000000-mapping.dmp
-
memory/4496-148-0x0000000000E60000-0x0000000000E8E000-memory.dmpFilesize
184KB
-
memory/4496-149-0x00007FFA43FE0000-0x00007FFA44AA1000-memory.dmpFilesize
10.8MB
-
memory/4496-152-0x00007FFA43FE0000-0x00007FFA44AA1000-memory.dmpFilesize
10.8MB
-
memory/4644-151-0x0000000000000000-mapping.dmp