Analysis
-
max time kernel
170s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 23:58
Behavioral task
behavioral1
Sample
65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe
Resource
win10v2004-20220812-en
General
-
Target
65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe
-
Size
23KB
-
MD5
bc17077cf4a198a253c6e263c184c27c
-
SHA1
16042b752eaa17251c7272636f9cf54633603285
-
SHA256
65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263
-
SHA512
40f3f29d988c40cd4067b3dd3a8831be7ae446e4b64b7e35a7542b96675c788cc3066228317bf9d98c88556ebe66d2b357a46e27ae911473dad571fec1c48450
-
SSDEEP
384:hslUlEvOEJ8xWwYJOMiOBZEdj1567gtwi5HhbQmRvR6JZlbw8hqIusZzZZP:ieEvwIlLMRpcnuy
Malware Config
Extracted
njrat
0.7d
aDeL
bilou04.no-ip.org:5010
bf20130b1b28d57b9c879b9943595d8a
-
reg_key
bf20130b1b28d57b9c879b9943595d8a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome.exepid process 4460 Chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe -
Drops startup file 2 IoCs
Processes:
Chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf20130b1b28d57b9c879b9943595d8a.exe Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf20130b1b28d57b9c879b9943595d8a.exe Chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf20130b1b28d57b9c879b9943595d8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bf20130b1b28d57b9c879b9943595d8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Chrome.exedescription pid process Token: SeDebugPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe Token: 33 4460 Chrome.exe Token: SeIncBasePriorityPrivilege 4460 Chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exeChrome.exedescription pid process target process PID 2880 wrote to memory of 4460 2880 65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe Chrome.exe PID 2880 wrote to memory of 4460 2880 65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe Chrome.exe PID 2880 wrote to memory of 4460 2880 65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe Chrome.exe PID 4460 wrote to memory of 4628 4460 Chrome.exe netsh.exe PID 4460 wrote to memory of 4628 4460 Chrome.exe netsh.exe PID 4460 wrote to memory of 4628 4460 Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe"C:\Users\Admin\AppData\Local\Temp\65940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Chrome.exe" "Chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
23KB
MD5bc17077cf4a198a253c6e263c184c27c
SHA116042b752eaa17251c7272636f9cf54633603285
SHA25665940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263
SHA51240f3f29d988c40cd4067b3dd3a8831be7ae446e4b64b7e35a7542b96675c788cc3066228317bf9d98c88556ebe66d2b357a46e27ae911473dad571fec1c48450
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
23KB
MD5bc17077cf4a198a253c6e263c184c27c
SHA116042b752eaa17251c7272636f9cf54633603285
SHA25665940be895edb9f6043e7310219a561ce1c860e7e4e386a0344a09672f987263
SHA51240f3f29d988c40cd4067b3dd3a8831be7ae446e4b64b7e35a7542b96675c788cc3066228317bf9d98c88556ebe66d2b357a46e27ae911473dad571fec1c48450
-
memory/2880-132-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/2880-133-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/2880-137-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/4460-134-0x0000000000000000-mapping.dmp
-
memory/4460-138-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/4460-140-0x0000000074BF0000-0x00000000751A1000-memory.dmpFilesize
5.7MB
-
memory/4628-139-0x0000000000000000-mapping.dmp