Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2022, 17:54
Behavioral task
behavioral1
Sample
c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe
Resource
win7-20220812-en
General
-
Target
c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe
-
Size
37KB
-
MD5
2817c011989e9651e3b2bc75e2bb0190
-
SHA1
254230a43c2f92381595a6bb03fe75234efe191e
-
SHA256
c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
-
SHA512
bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309
-
SSDEEP
384:fOveoixJhl7OHg1WykrppPl48uiX60rAF+rMRTyN/0L+EcoinblneHQM3epzXlNi:2v+R1NkrppqFidrM+rMRa8Nuzwt
Malware Config
Extracted
njrat
im523
HacKed
5.tcp.eu.ngrok.io:17656
5c1305f84d4de84c49a562943d8b6467
-
reg_key
5c1305f84d4de84c49a562943d8b6467
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2652 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 480 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe Token: 33 2652 server.exe Token: SeIncBasePriorityPrivilege 2652 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4420 wrote to memory of 2652 4420 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 80 PID 4420 wrote to memory of 2652 4420 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 80 PID 4420 wrote to memory of 2652 4420 c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe 80 PID 2652 wrote to memory of 480 2652 server.exe 81 PID 2652 wrote to memory of 480 2652 server.exe 81 PID 2652 wrote to memory of 480 2652 server.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe"C:\Users\Admin\AppData\Local\Temp\c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:480
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD52817c011989e9651e3b2bc75e2bb0190
SHA1254230a43c2f92381595a6bb03fe75234efe191e
SHA256c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
SHA512bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309
-
Filesize
37KB
MD52817c011989e9651e3b2bc75e2bb0190
SHA1254230a43c2f92381595a6bb03fe75234efe191e
SHA256c6d0e07fcebfbea85ffc77c796f87d47048d24e39d0c81e5b881cffcb2aba29e
SHA512bbc58966bd9c076e1c992b44fa6024a79b3378594a6c548dcf8c17f5fb4c2304ffa0c07addc7e42711fc829f254fd192954807280ea42c4b4ce6880a0f05d309