Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 22:53
Behavioral task
behavioral1
Sample
7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe
Resource
win10v2004-20220901-en
General
-
Target
7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe
-
Size
23KB
-
MD5
51a36bce2022f66cdabb97df479bd850
-
SHA1
68397ef3c39c3a45c1e1837bf7da1f1c8fe421f3
-
SHA256
7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c
-
SHA512
ce0a17bf36f042ef5c43015980029787247e1eb1dd2c1e6f07f073a3a65e13e25199b0c5816a55e03c06ec566b499afb3c8f5bc54ef21c353b685328892c513a
-
SSDEEP
384:IKQ+ILgIbOprgPsUOSU0kB1kd6dg7GYh/JomRvR6JZlbw8hqIusZzZ4+:8LL6MVU0NRpcnuk
Malware Config
Extracted
njrat
0.7d
HacKed
ad93.myq-see.com:1177
2100c8d153b7aee33b7df3db233ea562
-
reg_key
2100c8d153b7aee33b7df3db233ea562
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
task.exepid process 3228 task.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe -
Drops startup file 2 IoCs
Processes:
task.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2100c8d153b7aee33b7df3db233ea562.exe task.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2100c8d153b7aee33b7df3db233ea562.exe task.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
task.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2100c8d153b7aee33b7df3db233ea562 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\task.exe\" .." task.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2100c8d153b7aee33b7df3db233ea562 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\task.exe\" .." task.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
task.exedescription pid process Token: SeDebugPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe Token: 33 3228 task.exe Token: SeIncBasePriorityPrivilege 3228 task.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exetask.exedescription pid process target process PID 232 wrote to memory of 3228 232 7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe task.exe PID 232 wrote to memory of 3228 232 7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe task.exe PID 232 wrote to memory of 3228 232 7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe task.exe PID 3228 wrote to memory of 4592 3228 task.exe netsh.exe PID 3228 wrote to memory of 4592 3228 task.exe netsh.exe PID 3228 wrote to memory of 4592 3228 task.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe"C:\Users\Admin\AppData\Local\Temp\7916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\task.exe"C:\Users\Admin\AppData\Local\Temp\task.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\task.exe" "task.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\task.exeFilesize
23KB
MD551a36bce2022f66cdabb97df479bd850
SHA168397ef3c39c3a45c1e1837bf7da1f1c8fe421f3
SHA2567916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c
SHA512ce0a17bf36f042ef5c43015980029787247e1eb1dd2c1e6f07f073a3a65e13e25199b0c5816a55e03c06ec566b499afb3c8f5bc54ef21c353b685328892c513a
-
C:\Users\Admin\AppData\Local\Temp\task.exeFilesize
23KB
MD551a36bce2022f66cdabb97df479bd850
SHA168397ef3c39c3a45c1e1837bf7da1f1c8fe421f3
SHA2567916255e1713df00ed5e437a6b363f322059d171dc4dbdb335c759cb47eab75c
SHA512ce0a17bf36f042ef5c43015980029787247e1eb1dd2c1e6f07f073a3a65e13e25199b0c5816a55e03c06ec566b499afb3c8f5bc54ef21c353b685328892c513a
-
memory/232-132-0x00000000753C0000-0x0000000075971000-memory.dmpFilesize
5.7MB
-
memory/232-136-0x00000000753C0000-0x0000000075971000-memory.dmpFilesize
5.7MB
-
memory/3228-133-0x0000000000000000-mapping.dmp
-
memory/3228-137-0x00000000753C0000-0x0000000075971000-memory.dmpFilesize
5.7MB
-
memory/3228-139-0x00000000753C0000-0x0000000075971000-memory.dmpFilesize
5.7MB
-
memory/4592-138-0x0000000000000000-mapping.dmp