Analysis
-
max time kernel
187s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 20:58
Behavioral task
behavioral1
Sample
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
Resource
win10v2004-20221111-en
General
-
Target
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
-
Size
232KB
-
MD5
078c443bcef55469d0e676bfdb3657da
-
SHA1
d2f776086636685bbfff14350a4dad829fdfc930
-
SHA256
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
-
SHA512
078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
SSDEEP
3072:f6MMA29HPwr/7bn8fgNYg2hilnsf+odkFX4CDlpj3sRpPeQZ3NM:c9vwrX8kY3hino+aCDrIRNeQZN
Malware Config
Extracted
njrat
0.6.4
HacKed
gabrireimice.no-ip.biz:1177
7d31449cc24545e5baf7b7e98c5e61d9
-
reg_key
7d31449cc24545e5baf7b7e98c5e61d9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Explorer.exepid process 1644 Explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d31449cc24545e5baf7b7e98c5e61d9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe\" .." Explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7d31449cc24545e5baf7b7e98c5e61d9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe\" .." Explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
Explorer.exepid process 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe 1644 Explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Explorer.exedescription pid process Token: SeDebugPrivilege 1644 Explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exeExplorer.exedescription pid process target process PID 3044 wrote to memory of 1644 3044 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe PID 3044 wrote to memory of 1644 3044 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe PID 3044 wrote to memory of 1644 3044 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe Explorer.exe PID 1644 wrote to memory of 1556 1644 Explorer.exe netsh.exe PID 1644 wrote to memory of 1556 1644 Explorer.exe netsh.exe PID 1644 wrote to memory of 1556 1644 Explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe"C:\Users\Admin\AppData\Local\Temp\aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Explorer.exe"C:\Users\Admin\AppData\Roaming\Explorer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Explorer.exe" "Explorer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Explorer.exeFilesize
232KB
MD5078c443bcef55469d0e676bfdb3657da
SHA1d2f776086636685bbfff14350a4dad829fdfc930
SHA256aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
SHA512078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
C:\Users\Admin\AppData\Roaming\Explorer.exeFilesize
232KB
MD5078c443bcef55469d0e676bfdb3657da
SHA1d2f776086636685bbfff14350a4dad829fdfc930
SHA256aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
SHA512078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
-
memory/1556-137-0x0000000000000000-mapping.dmp
-
memory/1644-133-0x0000000000000000-mapping.dmp
-
memory/1644-138-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB
-
memory/1644-139-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB
-
memory/3044-132-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB
-
memory/3044-136-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB