Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:38
Behavioral task
behavioral1
Sample
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe
Resource
win10v2004-20220901-en
General
-
Target
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe
-
Size
23KB
-
MD5
4365a0d1044bc78fa41fd4191678efe5
-
SHA1
dfac2a71df39d25541322e6474c347ef38c9c438
-
SHA256
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
-
SHA512
17993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
SSDEEP
384:k8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZxR:jXcwt3tRpcnuI
Malware Config
Extracted
njrat
0.7d
dinaro
barby.no-ip.biz:1177
be38e079e21e7a803483d18fb29a86c3
-
reg_key
be38e079e21e7a803483d18fb29a86c3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 780 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be38e079e21e7a803483d18fb29a86c3.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be38e079e21e7a803483d18fb29a86c3.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\be38e079e21e7a803483d18fb29a86c3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\be38e079e21e7a803483d18fb29a86c3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe Token: 33 780 server.exe Token: SeIncBasePriorityPrivilege 780 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exeserver.exedescription pid process target process PID 4008 wrote to memory of 780 4008 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 4008 wrote to memory of 780 4008 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 4008 wrote to memory of 780 4008 78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe server.exe PID 780 wrote to memory of 3868 780 server.exe netsh.exe PID 780 wrote to memory of 3868 780 server.exe netsh.exe PID 780 wrote to memory of 3868 780 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe"C:\Users\Admin\AppData\Local\Temp\78670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54365a0d1044bc78fa41fd4191678efe5
SHA1dfac2a71df39d25541322e6474c347ef38c9c438
SHA25678670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
SHA51217993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD54365a0d1044bc78fa41fd4191678efe5
SHA1dfac2a71df39d25541322e6474c347ef38c9c438
SHA25678670d5a183c2679c8c45c323c23a4c8ca750360a03fb76e1a2923dfca439433
SHA51217993143727707b8fd450e2c5065f5221bc70364ae1cdf6e0e2052a5fae7a4a84429084088e1ff6600815c9a482a69bd0411ec3dc338ab0cd38eb18b222069db
-
memory/780-133-0x0000000000000000-mapping.dmp
-
memory/780-137-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/780-139-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/3868-138-0x0000000000000000-mapping.dmp
-
memory/4008-132-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/4008-136-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB