Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
Resource
win10v2004-20220812-en
General
-
Target
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
-
Size
320KB
-
MD5
67c17d16cda6cdabd9b3e4d5bd0f9a30
-
SHA1
fe9d1dc96b44fae3cd06b4db3447f61bcc93262b
-
SHA256
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3
-
SHA512
30525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107
-
SSDEEP
6144:PMOhqDDjBG3q28TKH3kdULeaSqVig4D033ziJztkIMao:PMO+PBA85tkIMa
Malware Config
Extracted
njrat
0.7d
HacKed
ahmedgaradi55.zapto.org:1177
cd9343d50c47eda1c5088069633d7730
-
reg_key
cd9343d50c47eda1c5088069633d7730
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hg.exehg.exepid process 3928 hg.exe 2112 hg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd9343d50c47eda1c5088069633d7730 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hg.exe\" .." hg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cd9343d50c47eda1c5088069633d7730 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hg.exe\" .." hg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exedescription pid process target process PID 2160 set thread context of 2032 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe PID 3928 set thread context of 2112 3928 hg.exe hg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exepid process 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 3928 hg.exe 3928 hg.exe 3928 hg.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exehg.exedescription pid process Token: SeDebugPrivilege 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe Token: SeDebugPrivilege 3928 hg.exe Token: SeDebugPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe Token: 33 2112 hg.exe Token: SeIncBasePriorityPrivilege 2112 hg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exehg.exedescription pid process target process PID 2160 wrote to memory of 2032 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe PID 2160 wrote to memory of 2032 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe PID 2160 wrote to memory of 2032 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe PID 2160 wrote to memory of 2032 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe PID 2160 wrote to memory of 2032 2160 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe PID 2032 wrote to memory of 3928 2032 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe hg.exe PID 2032 wrote to memory of 3928 2032 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe hg.exe PID 2032 wrote to memory of 3928 2032 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe hg.exe PID 3928 wrote to memory of 2112 3928 hg.exe hg.exe PID 3928 wrote to memory of 2112 3928 hg.exe hg.exe PID 3928 wrote to memory of 2112 3928 hg.exe hg.exe PID 3928 wrote to memory of 2112 3928 hg.exe hg.exe PID 3928 wrote to memory of 2112 3928 hg.exe hg.exe PID 2112 wrote to memory of 3736 2112 hg.exe netsh.exe PID 2112 wrote to memory of 3736 2112 hg.exe netsh.exe PID 2112 wrote to memory of 3736 2112 hg.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe"C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exeC:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hg.exe"C:\Users\Admin\AppData\Local\Temp\hg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hg.exeC:\Users\Admin\AppData\Local\Temp\hg.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hg.exe" "hg.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe.logFilesize
1KB
MD59a2d0ce437d2445330f2646472703087
SHA133c83e484a15f35c2caa3af62d5da6b7713a20ae
SHA25630ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c
SHA512a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d
-
C:\Users\Admin\AppData\Local\Temp\hg.exeFilesize
320KB
MD567c17d16cda6cdabd9b3e4d5bd0f9a30
SHA1fe9d1dc96b44fae3cd06b4db3447f61bcc93262b
SHA256486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3
SHA51230525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107
-
C:\Users\Admin\AppData\Local\Temp\hg.exeFilesize
320KB
MD567c17d16cda6cdabd9b3e4d5bd0f9a30
SHA1fe9d1dc96b44fae3cd06b4db3447f61bcc93262b
SHA256486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3
SHA51230525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107
-
C:\Users\Admin\AppData\Local\Temp\hg.exeFilesize
320KB
MD567c17d16cda6cdabd9b3e4d5bd0f9a30
SHA1fe9d1dc96b44fae3cd06b4db3447f61bcc93262b
SHA256486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3
SHA51230525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107
-
memory/2032-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2032-137-0x0000000000000000-mapping.dmp
-
memory/2112-143-0x0000000000000000-mapping.dmp
-
memory/2160-132-0x00000000008B0000-0x0000000000906000-memory.dmpFilesize
344KB
-
memory/2160-136-0x00000000052B0000-0x00000000052BA000-memory.dmpFilesize
40KB
-
memory/2160-135-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/2160-134-0x0000000005940000-0x0000000005EE4000-memory.dmpFilesize
5.6MB
-
memory/2160-133-0x00000000052F0000-0x000000000538C000-memory.dmpFilesize
624KB
-
memory/3736-146-0x0000000000000000-mapping.dmp
-
memory/3928-139-0x0000000000000000-mapping.dmp