Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:48
Behavioral task
behavioral1
Sample
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe
Resource
win10v2004-20220812-en
General
-
Target
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe
-
Size
194KB
-
MD5
67ca864acaba6a7e02502538cc497760
-
SHA1
3cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
-
SHA256
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
-
SHA512
2b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
SSDEEP
1536:jfIshKRWuWIzbouo8I0JyT3zYX9j1oJYVyyT:jIs808ouoh0YTDy9j1o
Malware Config
Extracted
njrat
0.7d
HacKed
chromehost.ddns.net:200
c96ffc7155e33bdb2e471b2aad6e0049
-
reg_key
c96ffc7155e33bdb2e471b2aad6e0049
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 664 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c96ffc7155e33bdb2e471b2aad6e0049.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c96ffc7155e33bdb2e471b2aad6e0049.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c96ffc7155e33bdb2e471b2aad6e0049 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c96ffc7155e33bdb2e471b2aad6e0049 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe Token: 33 664 server.exe Token: SeIncBasePriorityPrivilege 664 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exeserver.exedescription pid process target process PID 4352 wrote to memory of 664 4352 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 4352 wrote to memory of 664 4352 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 4352 wrote to memory of 664 4352 b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe server.exe PID 664 wrote to memory of 3412 664 server.exe netsh.exe PID 664 wrote to memory of 3412 664 server.exe netsh.exe PID 664 wrote to memory of 3412 664 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe"C:\Users\Admin\AppData\Local\Temp\b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
194KB
MD567ca864acaba6a7e02502538cc497760
SHA13cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
SHA256b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
SHA5122b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
194KB
MD567ca864acaba6a7e02502538cc497760
SHA13cb2eaa09e9ae1ae64451fe7745d83118cfcdd6d
SHA256b1a3c81101a64476b401a8889c4a2280a5a4e591bb4e5d184074934fade23c48
SHA5122b32bcf490129f4e7a92987f6775b45fbab74377ed57d7d89a38136026459063df0ed43ef38da72610ecff3733a88ce144f3713391ea1278114729241f847244
-
memory/664-134-0x0000000000000000-mapping.dmp
-
memory/664-138-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/664-140-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/3412-139-0x0000000000000000-mapping.dmp
-
memory/4352-132-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4352-133-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4352-137-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB