Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 23:12
Behavioral task
behavioral1
Sample
ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe
Resource
win10v2004-20220901-en
General
-
Target
ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe
-
Size
23KB
-
MD5
5ff84d0c70279992ca362d19526ad195
-
SHA1
3ab0eaaa73d68e15e3f1ca97050f117a27f9bcbc
-
SHA256
ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d
-
SHA512
81a216074323c6c5453f72a2c2a3dc9cfa514261d2ba881b4dfdd10b1c529e8f7e339f139dfe7c2ddfd5380a5392ecf3497bb2136dd22e5523322e91921b338c
-
SSDEEP
384:F8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZ8kB:WXcwt3tRpcnuJg
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1296 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4224 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe Token: 33 1296 server.exe Token: SeIncBasePriorityPrivilege 1296 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1296 2012 ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe 84 PID 2012 wrote to memory of 1296 2012 ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe 84 PID 2012 wrote to memory of 1296 2012 ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe 84 PID 1296 wrote to memory of 4224 1296 server.exe 88 PID 1296 wrote to memory of 4224 1296 server.exe 88 PID 1296 wrote to memory of 4224 1296 server.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe"C:\Users\Admin\AppData\Local\Temp\ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD55ff84d0c70279992ca362d19526ad195
SHA13ab0eaaa73d68e15e3f1ca97050f117a27f9bcbc
SHA256ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d
SHA51281a216074323c6c5453f72a2c2a3dc9cfa514261d2ba881b4dfdd10b1c529e8f7e339f139dfe7c2ddfd5380a5392ecf3497bb2136dd22e5523322e91921b338c
-
Filesize
23KB
MD55ff84d0c70279992ca362d19526ad195
SHA13ab0eaaa73d68e15e3f1ca97050f117a27f9bcbc
SHA256ec97891dc8ec0b95e004b1397a7360b7bdde2699a9369409bc10e2939b9df56d
SHA51281a216074323c6c5453f72a2c2a3dc9cfa514261d2ba881b4dfdd10b1c529e8f7e339f139dfe7c2ddfd5380a5392ecf3497bb2136dd22e5523322e91921b338c