Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 23:15
Behavioral task
behavioral1
Sample
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
Resource
win10v2004-20221111-en
General
-
Target
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
-
Size
44KB
-
MD5
10d10d703487f66c184aebcc89ee1cdc
-
SHA1
af4c294e54ed01d71e0ee1b33af9c1fee178ef73
-
SHA256
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272
-
SHA512
f6b9714db6bec47229fd326d7ebcfac855a33e3a5f82429d04d34719276e18cb6d447c66ac364ec6dcc017ca529b7c0f31d9d4514769e839e7419f62e9741df3
-
SSDEEP
768:Os4UAZQv/27NYsDkfZPoIqlHepBKh0p29SgRcrsnWeDmtUov:OrU7m7N143wEKhG29jcrGBmUM
Malware Config
Extracted
njrat
0.6.4
system
saadk.no-ip.biz:1177
12ce4e06a81e8d54fd01d9b762f1b1bb
-
reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Tempserver.exesystem.exepid process 316 Tempserver.exe 4868 system.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exeTempserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation Tempserver.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
system.exepid process 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe 4868 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 4868 system.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exeTempserver.exesystem.exedescription pid process target process PID 4900 wrote to memory of 316 4900 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 4900 wrote to memory of 316 4900 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 4900 wrote to memory of 316 4900 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe Tempserver.exe PID 316 wrote to memory of 4868 316 Tempserver.exe system.exe PID 316 wrote to memory of 4868 316 Tempserver.exe system.exe PID 316 wrote to memory of 4868 316 Tempserver.exe system.exe PID 4868 wrote to memory of 3124 4868 system.exe netsh.exe PID 4868 wrote to memory of 3124 4868 system.exe netsh.exe PID 4868 wrote to memory of 3124 4868 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe"C:\Users\Admin\AppData\Local\Temp\ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
29KB
MD5cc1527601b9652935e9056cb92446af4
SHA1aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA2564c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA51277d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
-
memory/316-141-0x000000006F710000-0x000000006FCC1000-memory.dmpFilesize
5.7MB
-
memory/316-138-0x0000000000000000-mapping.dmp
-
memory/316-145-0x000000006F710000-0x000000006FCC1000-memory.dmpFilesize
5.7MB
-
memory/3124-146-0x0000000000000000-mapping.dmp
-
memory/4868-142-0x0000000000000000-mapping.dmp
-
memory/4868-147-0x000000006F710000-0x000000006FCC1000-memory.dmpFilesize
5.7MB
-
memory/4868-148-0x000000006F710000-0x000000006FCC1000-memory.dmpFilesize
5.7MB
-
memory/4900-132-0x0000000000C10000-0x0000000000C22000-memory.dmpFilesize
72KB
-
memory/4900-136-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/4900-134-0x0000000005C30000-0x00000000061D4000-memory.dmpFilesize
5.6MB
-
memory/4900-133-0x00000000055E0000-0x000000000567C000-memory.dmpFilesize
624KB
-
memory/4900-135-0x0000000005720000-0x00000000057B2000-memory.dmpFilesize
584KB
-
memory/4900-137-0x00000000058B0000-0x0000000005906000-memory.dmpFilesize
344KB