Analysis
-
max time kernel
150s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe
Resource
win10v2004-20221111-en
General
-
Target
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe
-
Size
786KB
-
MD5
b3add9a1e502c753d95a2e9f48673395
-
SHA1
5fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
-
SHA256
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
-
SHA512
c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
SSDEEP
24576:gsTrikod71pwGuB7DNnui1jbx051ebqo/rZo4AxwYx:gsTrikod71pwGuB7DNnuYBC0bqo/NoJT
Malware Config
Extracted
njrat
0.7d
HacKed
mehdimoro.ddns.net:5555
4aeed655f342a0295abb3112731f878a
-
reg_key
4aeed655f342a0295abb3112731f878a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 4772 svchost.exe 2904 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYQwA0zYJ87p8B = "C:\\Windows\\system32\\Server.exe" 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYQwA0zYJ87p8B = "C:\\Windows\\system32\\Server.exe" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exedescription ioc process File created C:\Windows\SysWOW64\Server.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe File opened for modification C:\Windows\SysWOW64\Server.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exedescription pid process target process PID 2124 set thread context of 1232 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 4772 set thread context of 2904 4772 svchost.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exedescription ioc process File created C:\Windows\svchost.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exedescription pid process Token: SeDebugPrivilege 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe Token: SeDebugPrivilege 4772 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exedescription pid process target process PID 2124 wrote to memory of 1232 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 2124 wrote to memory of 1232 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 2124 wrote to memory of 1232 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 2124 wrote to memory of 1232 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 2124 wrote to memory of 1232 2124 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1232 wrote to memory of 4772 1232 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 1232 wrote to memory of 4772 1232 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 1232 wrote to memory of 4772 1232 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 4772 wrote to memory of 2904 4772 svchost.exe svchost.exe PID 4772 wrote to memory of 2904 4772 svchost.exe svchost.exe PID 4772 wrote to memory of 2904 4772 svchost.exe svchost.exe PID 4772 wrote to memory of 2904 4772 svchost.exe svchost.exe PID 4772 wrote to memory of 2904 4772 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe"C:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exeC:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exeC:\Windows\svchost.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe.logFilesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
C:\Windows\svchost.exeFilesize
786KB
MD5b3add9a1e502c753d95a2e9f48673395
SHA15fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
SHA25634ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
SHA512c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
C:\Windows\svchost.exeFilesize
786KB
MD5b3add9a1e502c753d95a2e9f48673395
SHA15fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
SHA25634ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
SHA512c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
C:\Windows\svchost.exeFilesize
786KB
MD5b3add9a1e502c753d95a2e9f48673395
SHA15fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
SHA25634ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
SHA512c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
memory/1232-138-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1232-137-0x0000000000000000-mapping.dmp
-
memory/2124-132-0x0000000000700000-0x00000000007CA000-memory.dmpFilesize
808KB
-
memory/2124-136-0x0000000007C00000-0x0000000007C9C000-memory.dmpFilesize
624KB
-
memory/2124-135-0x0000000005900000-0x000000000590A000-memory.dmpFilesize
40KB
-
memory/2124-134-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/2124-133-0x00000000059A0000-0x0000000005F44000-memory.dmpFilesize
5.6MB
-
memory/2904-143-0x0000000000000000-mapping.dmp
-
memory/4772-139-0x0000000000000000-mapping.dmp