Analysis
-
max time kernel
193s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:00
Behavioral task
behavioral1
Sample
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe
Resource
win10v2004-20221111-en
General
-
Target
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe
-
Size
23KB
-
MD5
e32a03453d15bac1ca444de6737daf1f
-
SHA1
f18110d0073607683ddf591b42b14b1413cece72
-
SHA256
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64
-
SHA512
a4afff12153e6c0663fe4b486f8b658cb143175620991b4b66df834b40452cef8ed598bda6aa09c00dc851deee34c77a0bd29640ae5a04f84471dd67b5533e4d
-
SSDEEP
384:xY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZZRO:GL2s+tRyRpcnu+O
Malware Config
Extracted
njrat
0.7d
1
x-devil50099005.ddns.net:5552
f38a836a5b74e1e1fd161ce744b606ef
-
reg_key
f38a836a5b74e1e1fd161ce744b606ef
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Google.exepid process 4648 Google.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe -
Drops startup file 2 IoCs
Processes:
Google.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f38a836a5b74e1e1fd161ce744b606ef.exe Google.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f38a836a5b74e1e1fd161ce744b606ef.exe Google.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f38a836a5b74e1e1fd161ce744b606ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.exe\" .." Google.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f38a836a5b74e1e1fd161ce744b606ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.exe\" .." Google.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Google.exedescription pid process Token: SeDebugPrivilege 4648 Google.exe Token: 33 4648 Google.exe Token: SeIncBasePriorityPrivilege 4648 Google.exe Token: 33 4648 Google.exe Token: SeIncBasePriorityPrivilege 4648 Google.exe Token: 33 4648 Google.exe Token: SeIncBasePriorityPrivilege 4648 Google.exe Token: 33 4648 Google.exe Token: SeIncBasePriorityPrivilege 4648 Google.exe Token: 33 4648 Google.exe Token: SeIncBasePriorityPrivilege 4648 Google.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exeGoogle.exedescription pid process target process PID 4596 wrote to memory of 4648 4596 1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe Google.exe PID 4596 wrote to memory of 4648 4596 1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe Google.exe PID 4596 wrote to memory of 4648 4596 1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe Google.exe PID 4648 wrote to memory of 2608 4648 Google.exe netsh.exe PID 4648 wrote to memory of 2608 4648 Google.exe netsh.exe PID 4648 wrote to memory of 2608 4648 Google.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe"C:\Users\Admin\AppData\Local\Temp\1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google.exe"C:\Users\Admin\AppData\Local\Temp\Google.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google.exe" "Google.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Google.exeFilesize
23KB
MD5e32a03453d15bac1ca444de6737daf1f
SHA1f18110d0073607683ddf591b42b14b1413cece72
SHA2561c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64
SHA512a4afff12153e6c0663fe4b486f8b658cb143175620991b4b66df834b40452cef8ed598bda6aa09c00dc851deee34c77a0bd29640ae5a04f84471dd67b5533e4d
-
C:\Users\Admin\AppData\Local\Temp\Google.exeFilesize
23KB
MD5e32a03453d15bac1ca444de6737daf1f
SHA1f18110d0073607683ddf591b42b14b1413cece72
SHA2561c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64
SHA512a4afff12153e6c0663fe4b486f8b658cb143175620991b4b66df834b40452cef8ed598bda6aa09c00dc851deee34c77a0bd29640ae5a04f84471dd67b5533e4d
-
memory/2608-140-0x0000000000000000-mapping.dmp
-
memory/4596-132-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4596-133-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4596-137-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4648-134-0x0000000000000000-mapping.dmp
-
memory/4648-138-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4648-139-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB