Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 15:19
Behavioral task
behavioral1
Sample
0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe
Resource
win10v2004-20220901-en
General
-
Target
0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe
-
Size
31KB
-
MD5
489f6e07931800e86db3bec9e8975e70
-
SHA1
a18fbcb963addef7350edc22ee2237662670cf57
-
SHA256
0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca
-
SHA512
f34f361cec82029883add77479c9cffff2cfcbc6fee82b36cbf20cbf0ae2eff6a0bfcc1cd7b330b6c695cf644db903c5daac721a3496a53d53b5c9694ef9dfca
-
SSDEEP
384:0XUHEBl7p3hUw2s7hv55gEKemqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZz3z:0L7bUw2CtkEcqNreHBKh0p29SgRR/
Malware Config
Extracted
njrat
0.6.4
HacKed
mooooooz.zapto.org:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 3540 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
Trojan.exepid process 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe 3540 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 3540 Trojan.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exeTrojan.exedescription pid process target process PID 3716 wrote to memory of 3540 3716 0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe Trojan.exe PID 3716 wrote to memory of 3540 3716 0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe Trojan.exe PID 3716 wrote to memory of 3540 3716 0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe Trojan.exe PID 3540 wrote to memory of 4324 3540 Trojan.exe netsh.exe PID 3540 wrote to memory of 4324 3540 Trojan.exe netsh.exe PID 3540 wrote to memory of 4324 3540 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe"C:\Users\Admin\AppData\Local\Temp\0675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
31KB
MD5489f6e07931800e86db3bec9e8975e70
SHA1a18fbcb963addef7350edc22ee2237662670cf57
SHA2560675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca
SHA512f34f361cec82029883add77479c9cffff2cfcbc6fee82b36cbf20cbf0ae2eff6a0bfcc1cd7b330b6c695cf644db903c5daac721a3496a53d53b5c9694ef9dfca
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
31KB
MD5489f6e07931800e86db3bec9e8975e70
SHA1a18fbcb963addef7350edc22ee2237662670cf57
SHA2560675fd2f6ba7508c0c7064d51223e4c5ae521a2a83d20f36189dcb5a15dbfaca
SHA512f34f361cec82029883add77479c9cffff2cfcbc6fee82b36cbf20cbf0ae2eff6a0bfcc1cd7b330b6c695cf644db903c5daac721a3496a53d53b5c9694ef9dfca
-
memory/3540-133-0x0000000000000000-mapping.dmp
-
memory/3540-137-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3540-139-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3716-132-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3716-136-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/4324-138-0x0000000000000000-mapping.dmp