Analysis
-
max time kernel
171s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe
Resource
win10v2004-20220812-en
General
-
Target
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe
-
Size
270KB
-
MD5
6e9b21506f657614800e3893b2954e80
-
SHA1
5b41d28b20a29996be71d1776637591c09200c2a
-
SHA256
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc
-
SHA512
bffa7110047b6596b6635b92dd6869c0d9e17d39f65281f85507b6ee3fdd9a060b37ef14e1a077719614c3ca042237901cfcb83b6c9a08f2dcca42a7781e37d9
-
SSDEEP
6144:jDKW1Lgbdl0TBBvjc/J0Lv5Usy19CX/7y2cznP:3h1Lk70TnvjcB0bHy2yRT
Malware Config
Extracted
njrat
0.6.4
HacKed
superstart.myq-see.com:1177
8bb662d6a258d1485dea4aedcf4aeffe
-
reg_key
8bb662d6a258d1485dea4aedcf4aeffe
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3964 552.exe 4084 AppData.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3740 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 552.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8bb662d6a258d1485dea4aedcf4aeffe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppData.exe\" .." AppData.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8bb662d6a258d1485dea4aedcf4aeffe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppData.exe\" .." AppData.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe 4084 AppData.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4344 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe Token: SeDebugPrivilege 4084 AppData.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4344 wrote to memory of 3964 4344 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 88 PID 4344 wrote to memory of 3964 4344 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 88 PID 4344 wrote to memory of 3964 4344 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 88 PID 3964 wrote to memory of 4084 3964 552.exe 89 PID 3964 wrote to memory of 4084 3964 552.exe 89 PID 3964 wrote to memory of 4084 3964 552.exe 89 PID 4084 wrote to memory of 3740 4084 AppData.exe 90 PID 4084 wrote to memory of 3740 4084 AppData.exe 90 PID 4084 wrote to memory of 3740 4084 AppData.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe"C:\Users\Admin\AppData\Local\Temp\3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\552.exeC:\Users\Admin\AppData\Local\Temp\552.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\AppData.exe"C:\Users\Admin\AppData\Local\Temp\AppData.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AppData.exe" "AppData.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:3740
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f