Analysis
-
max time kernel
153s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 01:10
Behavioral task
behavioral1
Sample
652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe
Resource
win10v2004-20220812-en
General
-
Target
652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe
-
Size
130KB
-
MD5
6cf87883c44fab14135667d29be27a60
-
SHA1
18b6cb7665ce36c9dc43fc3f7e72879411650d95
-
SHA256
652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077
-
SHA512
8e4fb664d5b4c3cde1c38ca21158dba7620e992fddfb1f0f3a769b65112883640511594d505b8ea2db3f92404c7186bf59dd4d1db677ea27cec29f764c7ec4a7
-
SSDEEP
3072:XYIG0RFac0eq2+e+UfVOI/++XmaAfkYmztzG163:q2f9+0h2XfPmztzG16
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:80
f28593ab4d0e2dcddc48d27d99c13439
-
reg_key
f28593ab4d0e2dcddc48d27d99c13439
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 5032 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f28593ab4d0e2dcddc48d27d99c13439 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f28593ab4d0e2dcddc48d27d99c13439 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exeserver.exedescription pid process target process PID 2192 wrote to memory of 5032 2192 652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe server.exe PID 2192 wrote to memory of 5032 2192 652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe server.exe PID 2192 wrote to memory of 5032 2192 652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe server.exe PID 5032 wrote to memory of 5060 5032 server.exe netsh.exe PID 5032 wrote to memory of 5060 5032 server.exe netsh.exe PID 5032 wrote to memory of 5060 5032 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe"C:\Users\Admin\AppData\Local\Temp\652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
130KB
MD56cf87883c44fab14135667d29be27a60
SHA118b6cb7665ce36c9dc43fc3f7e72879411650d95
SHA256652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077
SHA5128e4fb664d5b4c3cde1c38ca21158dba7620e992fddfb1f0f3a769b65112883640511594d505b8ea2db3f92404c7186bf59dd4d1db677ea27cec29f764c7ec4a7
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
130KB
MD56cf87883c44fab14135667d29be27a60
SHA118b6cb7665ce36c9dc43fc3f7e72879411650d95
SHA256652c0a54d276d3b8582844171189c9242ee71e20f8040dcf990724508fa15077
SHA5128e4fb664d5b4c3cde1c38ca21158dba7620e992fddfb1f0f3a769b65112883640511594d505b8ea2db3f92404c7186bf59dd4d1db677ea27cec29f764c7ec4a7
-
memory/2192-132-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/2192-136-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/5032-133-0x0000000000000000-mapping.dmp
-
memory/5032-137-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/5032-139-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/5060-138-0x0000000000000000-mapping.dmp