Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:41
Behavioral task
behavioral1
Sample
10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe
Resource
win10v2004-20220901-en
General
-
Target
10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe
-
Size
23KB
-
MD5
9f0ddcee6a0cf7c909f06279b674a8ac
-
SHA1
845cc9e425d60c2577512ae6bee03a1e66e5de41
-
SHA256
10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1
-
SHA512
07d560dc082ce24ce2b6c20500691b660b93f5868859427eba57ecd9a9652acccdee55115589baec7b6a755116f8fcdf467b2177b44a14af777a342bce0b9985
-
SSDEEP
384:CcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZ4G:V30py6vhxaRpcnus
Malware Config
Extracted
njrat
0.7d
HacKed
fofa97.no-ip.biz:1164
288166edc4d26d8da429838f2d4d1098
-
reg_key
288166edc4d26d8da429838f2d4d1098
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
gfs.exepid process 2204 gfs.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gfs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\288166edc4d26d8da429838f2d4d1098 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gfs.exe\" .." gfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\288166edc4d26d8da429838f2d4d1098 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gfs.exe\" .." gfs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
gfs.exedescription pid process Token: SeDebugPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe Token: 33 2204 gfs.exe Token: SeIncBasePriorityPrivilege 2204 gfs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exegfs.exedescription pid process target process PID 1336 wrote to memory of 2204 1336 10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe gfs.exe PID 1336 wrote to memory of 2204 1336 10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe gfs.exe PID 1336 wrote to memory of 2204 1336 10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe gfs.exe PID 2204 wrote to memory of 60 2204 gfs.exe netsh.exe PID 2204 wrote to memory of 60 2204 gfs.exe netsh.exe PID 2204 wrote to memory of 60 2204 gfs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe"C:\Users\Admin\AppData\Local\Temp\10d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\gfs.exe"C:\Users\Admin\AppData\Local\Temp\gfs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gfs.exe" "gfs.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:60
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD59f0ddcee6a0cf7c909f06279b674a8ac
SHA1845cc9e425d60c2577512ae6bee03a1e66e5de41
SHA25610d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1
SHA51207d560dc082ce24ce2b6c20500691b660b93f5868859427eba57ecd9a9652acccdee55115589baec7b6a755116f8fcdf467b2177b44a14af777a342bce0b9985
-
Filesize
23KB
MD59f0ddcee6a0cf7c909f06279b674a8ac
SHA1845cc9e425d60c2577512ae6bee03a1e66e5de41
SHA25610d94afee8a4ac453729e0a0a347b10e34f37709294da450c5a14f86f77395c1
SHA51207d560dc082ce24ce2b6c20500691b660b93f5868859427eba57ecd9a9652acccdee55115589baec7b6a755116f8fcdf467b2177b44a14af777a342bce0b9985