Analysis
-
max time kernel
35s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
Resource
win10v2004-20220812-en
General
-
Target
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
-
Size
752KB
-
MD5
9e6499f5082ed6f9111385c46b1d9ba4
-
SHA1
8f8c4979a3da04c7747554677936c219653f139f
-
SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360
-
SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc
-
SSDEEP
12288:zOGZcZxHMr1OaQzfa9dXJvKaoPRvYrySWx8Zwfi53QH/Wuo+0GMqM7Ffb5:zOGZiE1OJr6XJvKnZvaWxC3Mzo+nNe
Malware Config
Extracted
njrat
0.7d
HacKed
umang.chickenkiller.com:553
0353c9dc7f300a6eea7548de1eb123a5
-
reg_key
0353c9dc7f300a6eea7548de1eb123a5
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
winlogon.exewinlogon.exepid process 1804 winlogon.exe 1388 winlogon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 1792 set thread context of 1388 1792 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.exepid process 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe 1792 winlogon.exe 1792 winlogon.exe 1792 winlogon.exe 1792 winlogon.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exepid process 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.exedescription pid process Token: SeDebugPrivilege 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe Token: SeDebugPrivilege 1792 winlogon.exe Token: SeDebugPrivilege 1792 winlogon.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.exedescription pid process target process PID 4664 wrote to memory of 1792 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe winlogon.exe PID 4664 wrote to memory of 1792 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe winlogon.exe PID 4664 wrote to memory of 1792 4664 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe winlogon.exe PID 1792 wrote to memory of 1804 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1804 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1804 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe PID 1792 wrote to memory of 1388 1792 winlogon.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe"C:\Users\Admin\AppData\Local\Temp\0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
576KB
MD5a76bfb6731003a7f90b561e2cd97b43e
SHA1bcc492d2177e8812303db2a568cead47085dc5a9
SHA25681561c324d7cdc1f70198aad7d043cf331eb23819bfbce33cff3b40ada2a996c
SHA512af31923de5048850627fc8fe678c05668fc1bc5ec6cd9a5b45bc1ed67e5fc785f14dcf1569383f105796789fbf6c69040b3d263c069fdd7b7add2bb3a3b4ded1
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
752KB
MD59e6499f5082ed6f9111385c46b1d9ba4
SHA18f8c4979a3da04c7747554677936c219653f139f
SHA2560758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360
SHA512d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
752KB
MD59e6499f5082ed6f9111385c46b1d9ba4
SHA18f8c4979a3da04c7747554677936c219653f139f
SHA2560758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360
SHA512d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc
-
memory/1388-138-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1388-137-0x0000000000000000-mapping.dmp
-
memory/1388-139-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1388-140-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1388-143-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1388-145-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1792-135-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1792-144-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1792-133-0x0000000000000000-mapping.dmp
-
memory/4164-146-0x0000000000000000-mapping.dmp
-
memory/4664-132-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4664-134-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB