Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 06:09
Behavioral task
behavioral1
Sample
44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe
Resource
win10v2004-20220901-en
General
-
Target
44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe
-
Size
23KB
-
MD5
8126a74a7c567d80e2abce8eb3f6eaa0
-
SHA1
da69d9da5b91914043a80bb7366678e6f1858c77
-
SHA256
44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd
-
SHA512
cd1bc9e592aab9ac3f0ab7d789b1a4bf15cb16a6bbb30b967f257de2f40f29f8ea34daf726d33e1c63ca8fab660d5af8b43db133dfe96ca9570b4e016a8318f1
-
SSDEEP
384:sY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZB7:7L2s+tRyRpcnuq
Malware Config
Extracted
njrat
0.7d
Hack
aymaen.no-ip.biz:1177
9ca6239950376da190bd1fc848cacaed
-
reg_key
9ca6239950376da190bd1fc848cacaed
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vlsr.exepid process 1392 vlsr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vlsr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ca6239950376da190bd1fc848cacaed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vlsr.exe\" .." vlsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9ca6239950376da190bd1fc848cacaed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vlsr.exe\" .." vlsr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
vlsr.exedescription pid process Token: SeDebugPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe Token: 33 1392 vlsr.exe Token: SeIncBasePriorityPrivilege 1392 vlsr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exevlsr.exedescription pid process target process PID 4760 wrote to memory of 1392 4760 44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe vlsr.exe PID 4760 wrote to memory of 1392 4760 44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe vlsr.exe PID 4760 wrote to memory of 1392 4760 44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe vlsr.exe PID 1392 wrote to memory of 4048 1392 vlsr.exe netsh.exe PID 1392 wrote to memory of 4048 1392 vlsr.exe netsh.exe PID 1392 wrote to memory of 4048 1392 vlsr.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe"C:\Users\Admin\AppData\Local\Temp\44a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vlsr.exe"C:\Users\Admin\AppData\Local\Temp\vlsr.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\vlsr.exe" "vlsr.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vlsr.exeFilesize
23KB
MD58126a74a7c567d80e2abce8eb3f6eaa0
SHA1da69d9da5b91914043a80bb7366678e6f1858c77
SHA25644a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd
SHA512cd1bc9e592aab9ac3f0ab7d789b1a4bf15cb16a6bbb30b967f257de2f40f29f8ea34daf726d33e1c63ca8fab660d5af8b43db133dfe96ca9570b4e016a8318f1
-
C:\Users\Admin\AppData\Local\Temp\vlsr.exeFilesize
23KB
MD58126a74a7c567d80e2abce8eb3f6eaa0
SHA1da69d9da5b91914043a80bb7366678e6f1858c77
SHA25644a951e984772c474b3509992d0d549fd5dd1e7bd548099ce5dfcab40554a6bd
SHA512cd1bc9e592aab9ac3f0ab7d789b1a4bf15cb16a6bbb30b967f257de2f40f29f8ea34daf726d33e1c63ca8fab660d5af8b43db133dfe96ca9570b4e016a8318f1
-
memory/1392-133-0x0000000000000000-mapping.dmp
-
memory/1392-137-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/1392-139-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4048-138-0x0000000000000000-mapping.dmp
-
memory/4760-132-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4760-136-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB