Overview

overview

8

Static

static

57857afb9f...9e.exe

windows7-x64

8

57857afb9f...9e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe

  • Size

    262KB

  • MD5

    808e73257a72ac25cc88f950a8551540

  • SHA1

    7f1d9fb6a444d3faddd8a45480be8e8e9c3a8c67

  • SHA256

    57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e

  • SHA512

    bb37216d75c87ab3ff7283af270a7d5558e0976a15680438a082d91805cd8ee7342002b8f98b440144821b677990ff461bf6bb8f69cd8ae385a9238c5795e86b

  • SSDEEP

    6144:b1dlZro5yD9YWSHyx5TKdcGhvJOzDTlO6JfLL:b1dlZo5yRsKocKJOzX3

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe
    "C:\Users\Admin\AppData\Local\Temp\57857afb9f6e93b2aa6906f04ef44561d47c0d523512d7a92dfdfcac601c059e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Extracted\NjRat 0.5.0.exe
      "C:\Extracted\NjRat 0.5.0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 864
        3⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Extracted\NjRat 0.5.0.exe
    Filesize

    216KB

    MD5

    630ccd444d5919d31cc7d7b921afabfa

    SHA1

    65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

    SHA256

    6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

    SHA512

    fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

    Download Submit

  • C:\Extracted\NjRat 0.5.0.exe
    Filesize

    216KB

    MD5

    630ccd444d5919d31cc7d7b921afabfa

    SHA1

    65d6526efb83c45eb6199d1e1bc8b03fa3afe4be

    SHA256

    6739b9e9848b155593fd71e6dfa0858aaf80b8be9e856f856c3bcca44e98bfec

    SHA512

    fe585222ed861680601be3276524e936a2a5a3010400a4d0073f85a0cb2350b3269a8a9455c11b63b8cba31abcea205ffc81aff1f8c058e6a2378b6e725e6d28

    Download Submit

  • memory/4192-136-0x0000000074010000-0x00000000745C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4192-137-0x0000000074010000-0x00000000745C1000-memory.dmp

    Filesize

    5.7MB

    Download