Analysis
-
max time kernel
164s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 23:16
Behavioral task
behavioral1
Sample
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
Resource
win10v2004-20220812-en
General
-
Target
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
-
Size
29KB
-
MD5
cc1527601b9652935e9056cb92446af4
-
SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458
-
SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
-
SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
SSDEEP
768:4Qv/27NYsDkfZPoIqlHepBKh0p29SgRcr:tm7N143wEKhG29jcr
Malware Config
Extracted
njrat
0.6.4
system
saadk.no-ip.biz:1177
12ce4e06a81e8d54fd01d9b762f1b1bb
-
reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 4268 system.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
system.exepid process 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe 4268 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 4268 system.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exesystem.exedescription pid process target process PID 4348 wrote to memory of 4268 4348 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 4348 wrote to memory of 4268 4348 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 4348 wrote to memory of 4268 4348 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe system.exe PID 4268 wrote to memory of 2108 4268 system.exe netsh.exe PID 4268 wrote to memory of 2108 4268 system.exe netsh.exe PID 4268 wrote to memory of 2108 4268 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe"C:\Users\Admin\AppData\Local\Temp\4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
memory/2108-136-0x0000000000000000-mapping.dmp
-
memory/4268-133-0x0000000000000000-mapping.dmp
-
memory/4268-138-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/4268-139-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/4348-132-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/4348-137-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB