Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 02:21
Behavioral task
behavioral1
Sample
5124aaebf1ab6da085b27c6c2ba0cc51.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5124aaebf1ab6da085b27c6c2ba0cc51.exe
Resource
win10v2004-20220812-en
General
-
Target
5124aaebf1ab6da085b27c6c2ba0cc51.exe
-
Size
23KB
-
MD5
5124aaebf1ab6da085b27c6c2ba0cc51
-
SHA1
fbc12d3abe1925183aca35b6576650fc8e70396f
-
SHA256
a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
-
SHA512
e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
SSDEEP
384:p8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZ35:xY+sNKqNHnSdRpcnuy
Malware Config
Extracted
njrat
0.7d
zzzzz
daleriamz.ddns.net:222
44b2ba132312d6047acd9b3fee38fa26
-
reg_key
44b2ba132312d6047acd9b3fee38fa26
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4684 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5124aaebf1ab6da085b27c6c2ba0cc51.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 5124aaebf1ab6da085b27c6c2ba0cc51.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44b2ba132312d6047acd9b3fee38fa26.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44b2ba132312d6047acd9b3fee38fa26.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44b2ba132312d6047acd9b3fee38fa26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\44b2ba132312d6047acd9b3fee38fa26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe Token: 33 4684 server.exe Token: SeIncBasePriorityPrivilege 4684 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5124aaebf1ab6da085b27c6c2ba0cc51.exeserver.exedescription pid process target process PID 4140 wrote to memory of 4684 4140 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 4140 wrote to memory of 4684 4140 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 4140 wrote to memory of 4684 4140 5124aaebf1ab6da085b27c6c2ba0cc51.exe server.exe PID 4684 wrote to memory of 4008 4684 server.exe netsh.exe PID 4684 wrote to memory of 4008 4684 server.exe netsh.exe PID 4684 wrote to memory of 4008 4684 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5124aaebf1ab6da085b27c6c2ba0cc51.exe"C:\Users\Admin\AppData\Local\Temp\5124aaebf1ab6da085b27c6c2ba0cc51.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55124aaebf1ab6da085b27c6c2ba0cc51
SHA1fbc12d3abe1925183aca35b6576650fc8e70396f
SHA256a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
SHA512e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD55124aaebf1ab6da085b27c6c2ba0cc51
SHA1fbc12d3abe1925183aca35b6576650fc8e70396f
SHA256a7746acce6168760a25635c553af74bbd6887d2b5e0d7b6bd9b45c8cd1e5b900
SHA512e741d212439d4f888dd63d619d0f1ae27dfa9784d6a1740bf70d9faef9ac403cc70f174685cce206ff8d8e371c4835912bdca5288744bc4ff74b00a3ad3f5924
-
memory/4008-138-0x0000000000000000-mapping.dmp
-
memory/4140-132-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4140-136-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4684-133-0x0000000000000000-mapping.dmp
-
memory/4684-137-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4684-139-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB