Analysis
-
max time kernel
231s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 06:45
Behavioral task
behavioral1
Sample
f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe
Resource
win10v2004-20221111-en
General
-
Target
f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe
-
Size
23KB
-
MD5
94cc6a62246af0257acc1aceaffd0965
-
SHA1
c64ee8564dbfaeb67c50a362b1958806af64b30c
-
SHA256
f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495
-
SHA512
2cdf3986e40d46de099f584837a1459f89e273daf49dfa8550f5ec153f385051f6199e7f1947ffd249068cbd5a6c9d76025f42707cb316af4ab39b9aa3c552c5
-
SSDEEP
384:B+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZh7H:Wm+71d5XRpcnuG
Malware Config
Extracted
njrat
0.7d
HacKed
hguvhr-1.no-ip.biz:1988
31fbf4a6c2e03906866a21ab3c8bcdd7
-
reg_key
31fbf4a6c2e03906866a21ab3c8bcdd7
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 5116 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31fbf4a6c2e03906866a21ab3c8bcdd7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\31fbf4a6c2e03906866a21ab3c8bcdd7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 5116 server.exe Token: 33 5116 server.exe Token: SeIncBasePriorityPrivilege 5116 server.exe Token: 33 5116 server.exe Token: SeIncBasePriorityPrivilege 5116 server.exe Token: 33 5116 server.exe Token: SeIncBasePriorityPrivilege 5116 server.exe Token: 33 5116 server.exe Token: SeIncBasePriorityPrivilege 5116 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exeserver.exedescription pid process target process PID 1524 wrote to memory of 5116 1524 f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe server.exe PID 1524 wrote to memory of 5116 1524 f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe server.exe PID 1524 wrote to memory of 5116 1524 f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe server.exe PID 5116 wrote to memory of 3004 5116 server.exe netsh.exe PID 5116 wrote to memory of 3004 5116 server.exe netsh.exe PID 5116 wrote to memory of 3004 5116 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe"C:\Users\Admin\AppData\Local\Temp\f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD594cc6a62246af0257acc1aceaffd0965
SHA1c64ee8564dbfaeb67c50a362b1958806af64b30c
SHA256f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495
SHA5122cdf3986e40d46de099f584837a1459f89e273daf49dfa8550f5ec153f385051f6199e7f1947ffd249068cbd5a6c9d76025f42707cb316af4ab39b9aa3c552c5
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD594cc6a62246af0257acc1aceaffd0965
SHA1c64ee8564dbfaeb67c50a362b1958806af64b30c
SHA256f80c8c48055c61738798952d3798fa0d995567d6c031bf933e4ae3905e399495
SHA5122cdf3986e40d46de099f584837a1459f89e273daf49dfa8550f5ec153f385051f6199e7f1947ffd249068cbd5a6c9d76025f42707cb316af4ab39b9aa3c552c5
-
memory/1524-132-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/1524-133-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/1524-137-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/3004-139-0x0000000000000000-mapping.dmp
-
memory/5116-134-0x0000000000000000-mapping.dmp
-
memory/5116-138-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/5116-140-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB