Analysis
-
max time kernel
203s -
max time network
217s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:00
Behavioral task
behavioral1
Sample
798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe
Resource
win10v2004-20221111-en
General
-
Target
798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe
-
Size
23KB
-
MD5
7fc8280df342ffd91ecf6b111b82704e
-
SHA1
d3ead92ef2d3a928d1d17df20dbc045bd12b623a
-
SHA256
798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa
-
SHA512
9a26bd5f031170ba2384420f719e8982e9643b1b453e81a623f16a8da6f7f608c7bed647c8a7e6dcfb5f4bc6b6ebf7b37995d67dd502dc8e032ae99b2ce07ad6
-
SSDEEP
384:GluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZmz:pOmhtIiRpcnub
Malware Config
Extracted
njrat
0.7d
Victime
adelkabyle.no-ip.biz:1177
8765804f05506e2bf20cdfeb9d11a4c1
-
reg_key
8765804f05506e2bf20cdfeb9d11a4c1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskeng.exepid process 4428 taskeng.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe -
Drops startup file 2 IoCs
Processes:
taskeng.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8765804f05506e2bf20cdfeb9d11a4c1.exe taskeng.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8765804f05506e2bf20cdfeb9d11a4c1.exe taskeng.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskeng.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8765804f05506e2bf20cdfeb9d11a4c1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskeng.exe\" .." taskeng.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8765804f05506e2bf20cdfeb9d11a4c1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskeng.exe\" .." taskeng.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
taskeng.exedescription pid process Token: SeDebugPrivilege 4428 taskeng.exe Token: 33 4428 taskeng.exe Token: SeIncBasePriorityPrivilege 4428 taskeng.exe Token: 33 4428 taskeng.exe Token: SeIncBasePriorityPrivilege 4428 taskeng.exe Token: 33 4428 taskeng.exe Token: SeIncBasePriorityPrivilege 4428 taskeng.exe Token: 33 4428 taskeng.exe Token: SeIncBasePriorityPrivilege 4428 taskeng.exe Token: 33 4428 taskeng.exe Token: SeIncBasePriorityPrivilege 4428 taskeng.exe Token: 33 4428 taskeng.exe Token: SeIncBasePriorityPrivilege 4428 taskeng.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exetaskeng.exedescription pid process target process PID 3468 wrote to memory of 4428 3468 798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe taskeng.exe PID 3468 wrote to memory of 4428 3468 798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe taskeng.exe PID 3468 wrote to memory of 4428 3468 798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe taskeng.exe PID 4428 wrote to memory of 2616 4428 taskeng.exe netsh.exe PID 4428 wrote to memory of 2616 4428 taskeng.exe netsh.exe PID 4428 wrote to memory of 2616 4428 taskeng.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe"C:\Users\Admin\AppData\Local\Temp\798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\taskeng.exe"C:\Users\Admin\AppData\Roaming\taskeng.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\taskeng.exe" "taskeng.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\taskeng.exeFilesize
23KB
MD57fc8280df342ffd91ecf6b111b82704e
SHA1d3ead92ef2d3a928d1d17df20dbc045bd12b623a
SHA256798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa
SHA5129a26bd5f031170ba2384420f719e8982e9643b1b453e81a623f16a8da6f7f608c7bed647c8a7e6dcfb5f4bc6b6ebf7b37995d67dd502dc8e032ae99b2ce07ad6
-
C:\Users\Admin\AppData\Roaming\taskeng.exeFilesize
23KB
MD57fc8280df342ffd91ecf6b111b82704e
SHA1d3ead92ef2d3a928d1d17df20dbc045bd12b623a
SHA256798301c500221b4dd6c1a9da48b072d4b0cb4d5e1197cf5de6d887b2b27a6efa
SHA5129a26bd5f031170ba2384420f719e8982e9643b1b453e81a623f16a8da6f7f608c7bed647c8a7e6dcfb5f4bc6b6ebf7b37995d67dd502dc8e032ae99b2ce07ad6
-
memory/2616-140-0x0000000000000000-mapping.dmp
-
memory/3468-132-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/3468-133-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/3468-137-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/4428-134-0x0000000000000000-mapping.dmp
-
memory/4428-138-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/4428-139-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB