Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 19:39
Static task
static1
Behavioral task
behavioral1
Sample
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
Resource
win7-20221111-en
General
-
Target
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
-
Size
40KB
-
MD5
76549b8baa923d9d124fce400c715f80
-
SHA1
58b2c7bb1fb4c0c931cca5c28b13bf7c604be0db
-
SHA256
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d
-
SHA512
65b34b982745c291a3749250d1aaf43a1e72856166f09085f9e540f6ab3d63f4da692bab44f1d92257f47adbcf8517c2232d3a89a7f2addbbffdc7c73c22ceb0
-
SSDEEP
768:zu72rHLuCsVwWmd3pgEwJ+i/cEwZeHh29l:6sH5sVwWmdZHG+iEEwgH09l
Malware Config
Extracted
njrat
0.7d
hacker
xxx99.zapto.org:88
6f39b86be99d1b95bd864356980f5434
-
reg_key
6f39b86be99d1b95bd864356980f5434
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LG9NFELtAA4fSs0OcUn3.exesvchost.exepid process 4444 LG9NFELtAA4fSs0OcUn3.exe 952 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exeLG9NFELtAA4fSs0OcUn3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation LG9NFELtAA4fSs0OcUn3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe Token: 33 952 svchost.exe Token: SeIncBasePriorityPrivilege 952 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exeLG9NFELtAA4fSs0OcUn3.exesvchost.exedescription pid process target process PID 1296 wrote to memory of 4444 1296 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 1296 wrote to memory of 4444 1296 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 1296 wrote to memory of 4444 1296 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe LG9NFELtAA4fSs0OcUn3.exe PID 4444 wrote to memory of 952 4444 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 4444 wrote to memory of 952 4444 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 4444 wrote to memory of 952 4444 LG9NFELtAA4fSs0OcUn3.exe svchost.exe PID 952 wrote to memory of 5108 952 svchost.exe netsh.exe PID 952 wrote to memory of 5108 952 svchost.exe netsh.exe PID 952 wrote to memory of 5108 952 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe"C:\Users\Admin\AppData\Local\Temp\769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe"C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5425ba8dbb73b62d374597c2d21711632
SHA121b7491b1ff64abf6dcdfdcefa7edf31227cf8cb
SHA25693c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805
SHA5125594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742
-
memory/952-138-0x0000000000000000-mapping.dmp
-
memory/952-142-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/952-144-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/1296-132-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/1296-136-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/4444-137-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/4444-133-0x0000000000000000-mapping.dmp
-
memory/4444-141-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/5108-143-0x0000000000000000-mapping.dmp