Analysis
-
max time kernel
192s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 17:05
Static task
static1
Behavioral task
behavioral1
Sample
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Resource
win10v2004-20221111-en
General
-
Target
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
-
Size
319KB
-
MD5
d974e8a7e94fae3bef8b9a663057ba05
-
SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8
-
SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a
-
SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd
-
SSDEEP
3072:XTn64mgLXEg36vdXheha1G+VedMdGW53aKzfBrKGdrsx7HD:Dn4gIR1XhYa11VedMdGYKGRsZ
Malware Config
Extracted
njrat
0.7d
ﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲
aaddbbkk.hopto.org:1177
85d96ae9b74c6f98a30eae5caffd31d4
-
reg_key
85d96ae9b74c6f98a30eae5caffd31d4
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xwtpw32.exexwtpw32.exepid process 3048 xwtpw32.exe 1188 xwtpw32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
xwtpw32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85d96ae9b74c6f98a30eae5caffd31d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xwtpw32.exe\" .." xwtpw32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\85d96ae9b74c6f98a30eae5caffd31d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xwtpw32.exe\" .." xwtpw32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exedescription pid process target process PID 4176 set thread context of 768 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe PID 3048 set thread context of 1188 3048 xwtpw32.exe xwtpw32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exepid process 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 3048 xwtpw32.exe 3048 xwtpw32.exe 3048 xwtpw32.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exexwtpw32.exedescription pid process Token: SeDebugPrivilege 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe Token: 33 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe Token: SeIncBasePriorityPrivilege 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe Token: SeDebugPrivilege 3048 xwtpw32.exe Token: 33 3048 xwtpw32.exe Token: SeIncBasePriorityPrivilege 3048 xwtpw32.exe Token: 33 3048 xwtpw32.exe Token: SeIncBasePriorityPrivilege 3048 xwtpw32.exe Token: SeDebugPrivilege 1188 xwtpw32.exe Token: 33 1188 xwtpw32.exe Token: SeIncBasePriorityPrivilege 1188 xwtpw32.exe Token: 33 1188 xwtpw32.exe Token: SeIncBasePriorityPrivilege 1188 xwtpw32.exe Token: 33 1188 xwtpw32.exe Token: SeIncBasePriorityPrivilege 1188 xwtpw32.exe Token: 33 1188 xwtpw32.exe Token: SeIncBasePriorityPrivilege 1188 xwtpw32.exe Token: 33 1188 xwtpw32.exe Token: SeIncBasePriorityPrivilege 1188 xwtpw32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exexwtpw32.exedescription pid process target process PID 4176 wrote to memory of 768 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe PID 4176 wrote to memory of 768 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe PID 4176 wrote to memory of 768 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe PID 4176 wrote to memory of 768 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe PID 4176 wrote to memory of 768 4176 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe PID 768 wrote to memory of 3048 768 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe xwtpw32.exe PID 768 wrote to memory of 3048 768 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe xwtpw32.exe PID 768 wrote to memory of 3048 768 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe xwtpw32.exe PID 3048 wrote to memory of 1188 3048 xwtpw32.exe xwtpw32.exe PID 3048 wrote to memory of 1188 3048 xwtpw32.exe xwtpw32.exe PID 3048 wrote to memory of 1188 3048 xwtpw32.exe xwtpw32.exe PID 3048 wrote to memory of 1188 3048 xwtpw32.exe xwtpw32.exe PID 3048 wrote to memory of 1188 3048 xwtpw32.exe xwtpw32.exe PID 1188 wrote to memory of 3584 1188 xwtpw32.exe netsh.exe PID 1188 wrote to memory of 3584 1188 xwtpw32.exe netsh.exe PID 1188 wrote to memory of 3584 1188 xwtpw32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe"C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exeC:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe"C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exeC:\Users\Admin\AppData\Local\Temp\xwtpw32.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe" "xwtpw32.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe.logFilesize
418B
MD589c8a5340eb284f551067d44e27ae8dd
SHA1d2431ae25a1ab67762a5125574f046f4c951d297
SHA25673ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b
SHA512b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac
-
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exeFilesize
319KB
MD5d974e8a7e94fae3bef8b9a663057ba05
SHA102457284d0a0a05fc84e59fe6f34f4ee5f324df8
SHA2565eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a
SHA512a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd
-
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exeFilesize
319KB
MD5d974e8a7e94fae3bef8b9a663057ba05
SHA102457284d0a0a05fc84e59fe6f34f4ee5f324df8
SHA2565eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a
SHA512a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd
-
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exeFilesize
319KB
MD5d974e8a7e94fae3bef8b9a663057ba05
SHA102457284d0a0a05fc84e59fe6f34f4ee5f324df8
SHA2565eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a
SHA512a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd
-
memory/768-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/768-137-0x0000000000000000-mapping.dmp
-
memory/1188-143-0x0000000000000000-mapping.dmp
-
memory/3048-139-0x0000000000000000-mapping.dmp
-
memory/3584-146-0x0000000000000000-mapping.dmp
-
memory/4176-132-0x0000000000E90000-0x0000000000EE6000-memory.dmpFilesize
344KB
-
memory/4176-136-0x0000000007E10000-0x0000000007EAC000-memory.dmpFilesize
624KB
-
memory/4176-135-0x0000000005920000-0x000000000592A000-memory.dmpFilesize
40KB
-
memory/4176-134-0x0000000005880000-0x0000000005912000-memory.dmpFilesize
584KB
-
memory/4176-133-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB