Analysis
-
max time kernel
202s -
max time network
249s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:45
Static task
static1
Behavioral task
behavioral1
Sample
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe
Resource
win7-20220812-en
General
-
Target
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe
-
Size
1.7MB
-
MD5
3252406fbbe1a7a883ad6935b5ff7b44
-
SHA1
04a855b176cce65a5d8f5c5962cb071eb2829b12
-
SHA256
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e
-
SHA512
86cea605369b07b01b5bbaf507e13091e5b21518c68f5b7e429f0390ed7202da370503f33ff6537ae165999c940587eda552522091769b36c1dc616868e47773
-
SSDEEP
49152:xjrGFvecsO1VyuA1zRUMjcXYzC5T2Ocjpm:4phDVy71zRtjodT2XjU
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SelfDel.dll acprotect behavioral2/memory/3808-151-0x00000000737B0000-0x00000000737B9000-memory.dmp acprotect -
Drops file in Drivers directory 2 IoCs
Processes:
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exedescription ioc process File created C:\Windows\System32\drivers\mosfilterdrv.sys 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File opened for modification C:\Windows\System32\drivers\mosfilterdrv.sys 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe -
Executes dropped EXE 3 IoCs
Processes:
nfregdrv.exeimport_root_cert.exeNJax.exepid process 628 nfregdrv.exe 1184 import_root_cert.exe 2328 NJax.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SelfDel.dll upx behavioral2/memory/3808-151-0x00000000737B0000-0x00000000737B9000-memory.dmp upx -
Loads dropped DLL 8 IoCs
Processes:
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exenfregdrv.exeNJax.exepid process 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe 628 nfregdrv.exe 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe 2328 NJax.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
Processes:
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exedescription ioc process File created C:\Program Files (x86)\NJax\NJax.exe 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\nfapi.dll 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\ssleay32.dll 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\libeay32.dll 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\mosfilterdrv.sys 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File opened for modification C:\Program Files (x86)\NJax\mosfilterdrv.sys 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\ProtocolFilters.dll 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\nfregdrv.exe 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe File created C:\Program Files (x86)\NJax\remove_njax.exe 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exepid process 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.execmd.exedescription pid process target process PID 3808 wrote to memory of 628 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe nfregdrv.exe PID 3808 wrote to memory of 628 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe nfregdrv.exe PID 3808 wrote to memory of 628 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe nfregdrv.exe PID 3808 wrote to memory of 1604 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe cmd.exe PID 3808 wrote to memory of 1604 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe cmd.exe PID 1604 wrote to memory of 1184 1604 cmd.exe import_root_cert.exe PID 1604 wrote to memory of 1184 1604 cmd.exe import_root_cert.exe PID 1604 wrote to memory of 1184 1604 cmd.exe import_root_cert.exe PID 3808 wrote to memory of 2328 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe NJax.exe PID 3808 wrote to memory of 2328 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe NJax.exe PID 3808 wrote to memory of 2328 3808 528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe NJax.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe"C:\Users\Admin\AppData\Local\Temp\528e851829bc704e72399308a139291053468a53d2ca3a0fe4335f6a51fb8e0e.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\NJax\nfregdrv.exenfregdrv.exe C:\Windows\system32\drivers\mosfilterdrv.sys2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NJax\SSL\import.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NJax\SSL\import_root_cert.exeC:\Users\Admin\AppData\Local\Temp\NJax\SSL\import_root_cert.exe "C:\Users\Admin\AppData\Local\Temp\NJax\SSL\NJaxSSL.cer"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\NJax\NJax.exe"C:\Program Files (x86)\NJax\NJax.exe" /install /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\NJax\NJax.exeFilesize
433KB
MD54b20907ce23537d3cac5901ea3a236d2
SHA19becf6a793563693bcd98b22d863db55e43abdb0
SHA256051f18a0bba6530d56913c78fb8442098ff77e17a7b36cf1bc728cc9da9ea6a5
SHA5125eb33f9824296e06ebd7a645367f9c9a842aeb9b96012e036023f799a03e3f4f551a90236d9a53b31b3cdf6d8c0f259b82d9550b4363efc9b33329af6e5764f4
-
C:\Program Files (x86)\NJax\NJax.exeFilesize
433KB
MD54b20907ce23537d3cac5901ea3a236d2
SHA19becf6a793563693bcd98b22d863db55e43abdb0
SHA256051f18a0bba6530d56913c78fb8442098ff77e17a7b36cf1bc728cc9da9ea6a5
SHA5125eb33f9824296e06ebd7a645367f9c9a842aeb9b96012e036023f799a03e3f4f551a90236d9a53b31b3cdf6d8c0f259b82d9550b4363efc9b33329af6e5764f4
-
C:\Program Files (x86)\NJax\ProtocolFilters.dllFilesize
332KB
MD59c9694225679c7c577d72ea1537544cc
SHA18342872c5ef4d8c265eace1903a5ca2c7a38905c
SHA256615f0ab9ecdef7834a6943623752cae5814b06d2f4894e9da074a7e3b68ea86e
SHA5120c0558484cbbd12d5401b3a58b4ebf494d4740f4764491acc0e30a35c9a202c89e9ab7590675b5c729cd200025af2658dd723335f049cbaf44cdfb068312a74a
-
C:\Program Files (x86)\NJax\nfapi.dllFilesize
116KB
MD5d8305b5c2810e2e135f87bb32d62810e
SHA1e78991c4d920b61f068c27071253ab5e825572bc
SHA256a035dde03f95ad199a74e141089ea94d24abb42f56a9cc14c86c76c6ce6932ec
SHA512c01145ec54a3e2010d777625b65660f4d88a6488de171a97fdfe29b7da15c45aaa88b49a54046d42d199d5685560670ef2ccc6df3c915fda77a02796069123ab
-
C:\Program Files (x86)\NJax\nfapi.dllFilesize
116KB
MD5d8305b5c2810e2e135f87bb32d62810e
SHA1e78991c4d920b61f068c27071253ab5e825572bc
SHA256a035dde03f95ad199a74e141089ea94d24abb42f56a9cc14c86c76c6ce6932ec
SHA512c01145ec54a3e2010d777625b65660f4d88a6488de171a97fdfe29b7da15c45aaa88b49a54046d42d199d5685560670ef2ccc6df3c915fda77a02796069123ab
-
C:\Program Files (x86)\NJax\nfapi.dllFilesize
116KB
MD5d8305b5c2810e2e135f87bb32d62810e
SHA1e78991c4d920b61f068c27071253ab5e825572bc
SHA256a035dde03f95ad199a74e141089ea94d24abb42f56a9cc14c86c76c6ce6932ec
SHA512c01145ec54a3e2010d777625b65660f4d88a6488de171a97fdfe29b7da15c45aaa88b49a54046d42d199d5685560670ef2ccc6df3c915fda77a02796069123ab
-
C:\Program Files (x86)\NJax\nfregdrv.exeFilesize
48KB
MD501b5780505301ada6dc102fb77b2298c
SHA1328c3931a54af2d7adb88ba4c4c18ce1af8d5a72
SHA256aad2d85472448abe8250cf3180c3d0373540f46e8a8e76d8ef2f78db62be0812
SHA512bc5bd91c46f452a76ae0595287622256e8c79e90158171bedf6b68d4439dfefceb06948bd49deb0aeb1344ce89a312bb87b01e2daf3880729fff642951c33947
-
C:\Program Files (x86)\NJax\nfregdrv.exeFilesize
48KB
MD501b5780505301ada6dc102fb77b2298c
SHA1328c3931a54af2d7adb88ba4c4c18ce1af8d5a72
SHA256aad2d85472448abe8250cf3180c3d0373540f46e8a8e76d8ef2f78db62be0812
SHA512bc5bd91c46f452a76ae0595287622256e8c79e90158171bedf6b68d4439dfefceb06948bd49deb0aeb1344ce89a312bb87b01e2daf3880729fff642951c33947
-
C:\Users\Admin\AppData\Local\Temp\NJax\SSL\import.batFilesize
66B
MD50b1777825d2b22502042da74398ea2ae
SHA1e1f96e5ff8dfade89e5517711e9e9aa4b90a305f
SHA256e1a81e904b5ebeabf2a4f791d29299b2d681f56c164f71c8d29de44c4c4ab492
SHA512e8473d28bc61d33d8afe43c8f2cb547d6a4e8d55d2f37858e3c118432fb7da97511709acf9466a1a2f828050bbed259021982603c9b2fcfb91fae60d89853f3d
-
C:\Users\Admin\AppData\Local\Temp\NJax\SSL\import_root_cert.exeFilesize
92KB
MD51c76d7defa116a328f47036b54126e6c
SHA18a0e534388b552a57da85b2fe015168fc1164d08
SHA2560cf513ba175e46c598be4f7272fbe03a30ba65b1221e45b36cf5945853b9e39e
SHA5122aefa82b7bde1d219aa0cf81b91a5caff82d7df695e95b0c14ec04056601411e10e245efa25ced309136611d6ce426cb187d867c39ef1d5d6b1b57827e942674
-
C:\Users\Admin\AppData\Local\Temp\NJax\SSL\import_root_cert.exeFilesize
92KB
MD51c76d7defa116a328f47036b54126e6c
SHA18a0e534388b552a57da85b2fe015168fc1164d08
SHA2560cf513ba175e46c598be4f7272fbe03a30ba65b1221e45b36cf5945853b9e39e
SHA5122aefa82b7bde1d219aa0cf81b91a5caff82d7df695e95b0c14ec04056601411e10e245efa25ced309136611d6ce426cb187d867c39ef1d5d6b1b57827e942674
-
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SelfDel.dllFilesize
5KB
MD5e5786e8703d651bc8bd4bfecf46d3844
SHA1fee5aa4b325deecbf69ccb6eadd89bd5ae59723f
SHA256d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774
SHA512d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3
-
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
memory/628-133-0x0000000000000000-mapping.dmp
-
memory/1184-142-0x0000000000000000-mapping.dmp
-
memory/1604-140-0x0000000000000000-mapping.dmp
-
memory/2328-148-0x0000000000000000-mapping.dmp
-
memory/3808-151-0x00000000737B0000-0x00000000737B9000-memory.dmpFilesize
36KB
-
memory/3808-147-0x0000000000631000-0x000000000063D000-memory.dmpFilesize
48KB