Analysis
-
max time kernel
143s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 17:33
Behavioral task
behavioral1
Sample
e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe
Resource
win10v2004-20221111-en
General
-
Target
e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe
-
Size
23KB
-
MD5
1f544a7ceb2cc4c868b1374b5991a15a
-
SHA1
97746526ee8cfa63a36f0da3775d4b7ff64adb38
-
SHA256
e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949
-
SHA512
0cbcf963f17a3026012d99bd04b51fe0975ed35eebbbced5cd9b505b8d4934fac9fe0c8851152354b970b808e1ee61accce1dac8903c2c8acfe62d4ae4ca1521
-
SSDEEP
384:rwTSiYWD2Z7w3CsJeiecwJ3fw6FgzeAh33RtmRvR6JZlbw8hqIusZzZQl:mvZiBK1edJRpcnub
Malware Config
Extracted
njrat
0.7d
- 5Min
hiddenman.duckdns.org:5552
3360867c4461f88b6b57142fca68a212
-
reg_key
3360867c4461f88b6b57142fca68a212
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3428 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3360867c4461f88b6b57142fca68a212 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3360867c4461f88b6b57142fca68a212 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exesvhost.exedescription pid process target process PID 2748 wrote to memory of 3428 2748 e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe svhost.exe PID 2748 wrote to memory of 3428 2748 e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe svhost.exe PID 2748 wrote to memory of 3428 2748 e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe svhost.exe PID 3428 wrote to memory of 4636 3428 svhost.exe netsh.exe PID 3428 wrote to memory of 4636 3428 svhost.exe netsh.exe PID 3428 wrote to memory of 4636 3428 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe"C:\Users\Admin\AppData\Local\Temp\e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD51f544a7ceb2cc4c868b1374b5991a15a
SHA197746526ee8cfa63a36f0da3775d4b7ff64adb38
SHA256e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949
SHA5120cbcf963f17a3026012d99bd04b51fe0975ed35eebbbced5cd9b505b8d4934fac9fe0c8851152354b970b808e1ee61accce1dac8903c2c8acfe62d4ae4ca1521
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD51f544a7ceb2cc4c868b1374b5991a15a
SHA197746526ee8cfa63a36f0da3775d4b7ff64adb38
SHA256e930e02bc4647e790310b342f44dda5bff079ff0ebe4f2ad624360fbb064e949
SHA5120cbcf963f17a3026012d99bd04b51fe0975ed35eebbbced5cd9b505b8d4934fac9fe0c8851152354b970b808e1ee61accce1dac8903c2c8acfe62d4ae4ca1521
-
memory/2748-132-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/2748-133-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/2748-138-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/3428-134-0x0000000000000000-mapping.dmp
-
memory/3428-137-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/3428-139-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/4636-140-0x0000000000000000-mapping.dmp