Analysis
-
max time kernel
202s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 23:07
Static task
static1
Behavioral task
behavioral1
Sample
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe
Resource
win10v2004-20221111-en
General
-
Target
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe
-
Size
352KB
-
MD5
efde8f7c97f533dbb5f6b44412f7e0e8
-
SHA1
32b42444d368b4531dd5b196fb8413201b876f30
-
SHA256
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
-
SHA512
9a6023d0f6d23c037c2a3bb296c328c12266a72b40d1bdf254bd901f1fe90157ff1678fcb8bee002e108a29986b05ecbc6431a1150c647decf2b57775b8747d6
-
SSDEEP
3072:rnyCcI+02me4sZh7Bl/D8C6yi/5rwWZsRPEY9wcDkSFwVxjhC9qOf5Zad77cN/b:vvU7jUyeEmsWuTo5vsWd7pvOU7HJ7M5
Malware Config
Extracted
njrat
0.7d
w.w.w.w
ksa-ok.ddns.net:1177
3731b7c7eb0e242265ddcd1c2fa8c059
-
reg_key
3731b7c7eb0e242265ddcd1c2fa8c059
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
prosek.exeprosek.exepid process 4076 prosek.exe 3720 prosek.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe -
Drops startup file 2 IoCs
Processes:
prosek.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3731b7c7eb0e242265ddcd1c2fa8c059.exe prosek.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3731b7c7eb0e242265ddcd1c2fa8c059.exe prosek.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
prosek.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3731b7c7eb0e242265ddcd1c2fa8c059 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\prosek.exe\" .." prosek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3731b7c7eb0e242265ddcd1c2fa8c059 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\prosek.exe\" .." prosek.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exeprosek.exedescription pid process target process PID 2012 set thread context of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 4076 set thread context of 3720 4076 prosek.exe prosek.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exeprosek.exeprosek.exedescription pid process Token: SeDebugPrivilege 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe Token: SeDebugPrivilege 4076 prosek.exe Token: SeDebugPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe Token: 33 3720 prosek.exe Token: SeIncBasePriorityPrivilege 3720 prosek.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exeprosek.exeprosek.exedescription pid process target process PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2012 wrote to memory of 2008 2012 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe PID 2008 wrote to memory of 4076 2008 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe prosek.exe PID 2008 wrote to memory of 4076 2008 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe prosek.exe PID 2008 wrote to memory of 4076 2008 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 4076 wrote to memory of 3720 4076 prosek.exe prosek.exe PID 3720 wrote to memory of 4496 3720 prosek.exe netsh.exe PID 3720 wrote to memory of 4496 3720 prosek.exe netsh.exe PID 3720 wrote to memory of 4496 3720 prosek.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe"C:\Users\Admin\AppData\Local\Temp\8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exeC:\Users\Admin\AppData\Local\Temp\8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\prosek.exe"C:\Users\Admin\AppData\Local\Temp\prosek.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\prosek.exeC:\Users\Admin\AppData\Local\Temp\prosek.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\prosek.exe" "prosek.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7.exe.logFilesize
408B
MD5e91022c75f1fa509d5e885934455081e
SHA1cd2969406b78ad33a99dbd7ca4d1fa642b378803
SHA256fa4e0be2df98aada3922e271a2a6af45975cd109aba4698627bb27a4f72e1851
SHA512d89426367e230d7f4dddcce838d30f018965947ede3849e89c3cf345861db86a5ae7f83622444ba569e4e160977dcc7169507fa563bad8adb5a9d8cab8badd97
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\prosek.exe.logFilesize
408B
MD5e91022c75f1fa509d5e885934455081e
SHA1cd2969406b78ad33a99dbd7ca4d1fa642b378803
SHA256fa4e0be2df98aada3922e271a2a6af45975cd109aba4698627bb27a4f72e1851
SHA512d89426367e230d7f4dddcce838d30f018965947ede3849e89c3cf345861db86a5ae7f83622444ba569e4e160977dcc7169507fa563bad8adb5a9d8cab8badd97
-
C:\Users\Admin\AppData\Local\Temp\prosek.exeFilesize
352KB
MD5efde8f7c97f533dbb5f6b44412f7e0e8
SHA132b42444d368b4531dd5b196fb8413201b876f30
SHA2568103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
SHA5129a6023d0f6d23c037c2a3bb296c328c12266a72b40d1bdf254bd901f1fe90157ff1678fcb8bee002e108a29986b05ecbc6431a1150c647decf2b57775b8747d6
-
C:\Users\Admin\AppData\Local\Temp\prosek.exeFilesize
352KB
MD5efde8f7c97f533dbb5f6b44412f7e0e8
SHA132b42444d368b4531dd5b196fb8413201b876f30
SHA2568103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
SHA5129a6023d0f6d23c037c2a3bb296c328c12266a72b40d1bdf254bd901f1fe90157ff1678fcb8bee002e108a29986b05ecbc6431a1150c647decf2b57775b8747d6
-
C:\Users\Admin\AppData\Local\Temp\prosek.exeFilesize
352KB
MD5efde8f7c97f533dbb5f6b44412f7e0e8
SHA132b42444d368b4531dd5b196fb8413201b876f30
SHA2568103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
SHA5129a6023d0f6d23c037c2a3bb296c328c12266a72b40d1bdf254bd901f1fe90157ff1678fcb8bee002e108a29986b05ecbc6431a1150c647decf2b57775b8747d6
-
memory/2008-135-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2008-138-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/2008-134-0x0000000000000000-mapping.dmp
-
memory/2008-142-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/2012-133-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/2012-132-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/2012-137-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/3720-143-0x0000000000000000-mapping.dmp
-
memory/3720-148-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/3720-149-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/4076-139-0x0000000000000000-mapping.dmp
-
memory/4076-147-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/4496-150-0x0000000000000000-mapping.dmp