Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe
Resource
win10v2004-20220812-en
General
-
Target
d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe
-
Size
576KB
-
MD5
371a9e97a6c1a198db1735eadd2ddde0
-
SHA1
3fc4f4b63e43d9219168ff80855242c68c8308c4
-
SHA256
d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525
-
SHA512
f717b3c86a659921cb0a64144928f41cf975f0510a43bf4f416cf24a1d57926e77fd7244fb684ace2f8af3f9ca59646de7bbba8b7b2647d37943703a5e6a1a97
-
SSDEEP
12288:o1NbHByjm6KffQjrkQR8Lx1ahP+dmyyGlcWH:sbHgjmYj4QSLLaN+dmyyGL
Malware Config
Extracted
njrat
0.7d
Szwaby
scamher.chickenkiller.com:55554
0391c958660a9aa52aecefa0d373bda0
-
reg_key
0391c958660a9aa52aecefa0d373bda0
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
FINAL.exeK7C.exeUpdater.exepid process 2744 FINAL.exe 2224 K7C.exe 1568 Updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exeFINAL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation FINAL.exe -
Drops startup file 2 IoCs
Processes:
Updater.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0391c958660a9aa52aecefa0d373bda0.exe Updater.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0391c958660a9aa52aecefa0d373bda0.exe Updater.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Updater.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0391c958660a9aa52aecefa0d373bda0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Updater.exe\" .." Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0391c958660a9aa52aecefa0d373bda0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Updater.exe\" .." Updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
K7C.exepid process 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe 2224 K7C.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
Updater.exedescription pid process Token: SeDebugPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe Token: 33 1568 Updater.exe Token: SeIncBasePriorityPrivilege 1568 Updater.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exeFINAL.exeUpdater.exedescription pid process target process PID 2220 wrote to memory of 2744 2220 d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe FINAL.exe PID 2220 wrote to memory of 2744 2220 d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe FINAL.exe PID 2220 wrote to memory of 2744 2220 d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe FINAL.exe PID 2220 wrote to memory of 2224 2220 d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe K7C.exe PID 2220 wrote to memory of 2224 2220 d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe K7C.exe PID 2220 wrote to memory of 2224 2220 d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe K7C.exe PID 2744 wrote to memory of 1568 2744 FINAL.exe Updater.exe PID 2744 wrote to memory of 1568 2744 FINAL.exe Updater.exe PID 2744 wrote to memory of 1568 2744 FINAL.exe Updater.exe PID 1568 wrote to memory of 2132 1568 Updater.exe netsh.exe PID 1568 wrote to memory of 2132 1568 Updater.exe netsh.exe PID 1568 wrote to memory of 2132 1568 Updater.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe"C:\Users\Admin\AppData\Local\Temp\d6e84941ce5d258a635374d5d3a35b7b50f920c9da6d2804c3469e2681c9a525.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FINAL.exe"C:\Users\Admin\AppData\Local\Temp\FINAL.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Updater.exe" "Updater.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\K7C.exe"C:\Users\Admin\AppData\Local\Temp\K7C.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FINAL.exeFilesize
23KB
MD5b047f49e5cf1754aa6c724d8b6c3a156
SHA130d868579371b3f904b02b19b2220292d129babd
SHA2568cfa7483199a3227b41b550cd0be66b9048390084f9a456af5ce05082145c698
SHA512583a6a8493e497aef0445020382c7ede3a47dd2cc070d4ce3fa85545d16f16219da964c22f09a43d9614d9c3586dcf12f45946e071d3b7153064f00b51e0f184
-
C:\Users\Admin\AppData\Local\Temp\FINAL.exeFilesize
23KB
MD5b047f49e5cf1754aa6c724d8b6c3a156
SHA130d868579371b3f904b02b19b2220292d129babd
SHA2568cfa7483199a3227b41b550cd0be66b9048390084f9a456af5ce05082145c698
SHA512583a6a8493e497aef0445020382c7ede3a47dd2cc070d4ce3fa85545d16f16219da964c22f09a43d9614d9c3586dcf12f45946e071d3b7153064f00b51e0f184
-
C:\Users\Admin\AppData\Local\Temp\K7C.exeFilesize
169KB
MD59f08c4f3854154cee2d24d09ece88150
SHA17ef1926d89117b9cbaa1857559bacf52886f6556
SHA256e721f7f250214fbedac6a6393842f43a455af8969a61ef219a67df7e8ac8764d
SHA512199de99c8164f5efa9b10009067c37260a9a7827fffce0f1a8514b136372e474520619898db41fdc51706eaea197fa5b5e470d4541c8085c77d5eddcb9148b01
-
C:\Users\Admin\AppData\Local\Temp\K7C.exeFilesize
169KB
MD59f08c4f3854154cee2d24d09ece88150
SHA17ef1926d89117b9cbaa1857559bacf52886f6556
SHA256e721f7f250214fbedac6a6393842f43a455af8969a61ef219a67df7e8ac8764d
SHA512199de99c8164f5efa9b10009067c37260a9a7827fffce0f1a8514b136372e474520619898db41fdc51706eaea197fa5b5e470d4541c8085c77d5eddcb9148b01
-
C:\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
23KB
MD5b047f49e5cf1754aa6c724d8b6c3a156
SHA130d868579371b3f904b02b19b2220292d129babd
SHA2568cfa7483199a3227b41b550cd0be66b9048390084f9a456af5ce05082145c698
SHA512583a6a8493e497aef0445020382c7ede3a47dd2cc070d4ce3fa85545d16f16219da964c22f09a43d9614d9c3586dcf12f45946e071d3b7153064f00b51e0f184
-
C:\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
23KB
MD5b047f49e5cf1754aa6c724d8b6c3a156
SHA130d868579371b3f904b02b19b2220292d129babd
SHA2568cfa7483199a3227b41b550cd0be66b9048390084f9a456af5ce05082145c698
SHA512583a6a8493e497aef0445020382c7ede3a47dd2cc070d4ce3fa85545d16f16219da964c22f09a43d9614d9c3586dcf12f45946e071d3b7153064f00b51e0f184
-
memory/1568-145-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1568-147-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1568-141-0x0000000000000000-mapping.dmp
-
memory/2132-146-0x0000000000000000-mapping.dmp
-
memory/2220-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2220-138-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2224-136-0x0000000000000000-mapping.dmp
-
memory/2744-144-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2744-139-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2744-133-0x0000000000000000-mapping.dmp