Analysis
-
max time kernel
190s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:42
Static task
static1
Behavioral task
behavioral1
Sample
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe
Resource
win10v2004-20221111-en
General
-
Target
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe
-
Size
356KB
-
MD5
779f561dc93adbf2b40e92ac374f7cf5
-
SHA1
562ca1be06ff75f55893fa5472abbf7bb9fa6625
-
SHA256
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa
-
SHA512
d1a3f889c6f60b49d07519ddc73f9108012c8e4b81a01328ac75400bd10888428fed84c81a32da3ff00644e3149ba8ad4fd9720d2bb4c0819619e9f9f2069501
-
SSDEEP
6144:9LM3L6hWtnvqI6vzkGTxapOEBqa5tXc8s:hMbaWtn6vzkYmVjC8s
Malware Config
Extracted
njrat
0.7d
FBautoliker103
182.191.88.102:5555
246bc91174535f2c90a8931dec64f396
-
reg_key
246bc91174535f2c90a8931dec64f396
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
server.exeserver.exepid process 3356 server.exe 2168 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\246bc91174535f2c90a8931dec64f396.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\246bc91174535f2c90a8931dec64f396.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\246bc91174535f2c90a8931dec64f396 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\246bc91174535f2c90a8931dec64f396 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exeserver.exedescription pid process target process PID 4880 set thread context of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 3356 set thread context of 2168 3356 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exeserver.exeserver.exedescription pid process Token: SeDebugPrivilege 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe Token: SeDebugPrivilege 3356 server.exe Token: SeDebugPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe Token: 33 2168 server.exe Token: SeIncBasePriorityPrivilege 2168 server.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exeserver.exeserver.exedescription pid process target process PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 4880 wrote to memory of 1308 4880 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe PID 1308 wrote to memory of 3356 1308 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe server.exe PID 1308 wrote to memory of 3356 1308 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe server.exe PID 1308 wrote to memory of 3356 1308 2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 3356 wrote to memory of 2168 3356 server.exe server.exe PID 2168 wrote to memory of 3476 2168 server.exe netsh.exe PID 2168 wrote to memory of 3476 2168 server.exe netsh.exe PID 2168 wrote to memory of 3476 2168 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe"C:\Users\Admin\AppData\Local\Temp\2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exeC:\Users\Admin\AppData\Local\Temp\2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa.exe.logFilesize
594B
MD551ac875eb708e015bc50f2bee1062ca7
SHA1c3a32f66deb3272dc6f26443813294c6d156ecf9
SHA25644eb523a35bf63adcf05fd6a67981adf0d427c80d04fe76ce164805d1f4b7518
SHA512e394c11bffdfe0ef256a5fa72205a91fd12341ad61b12d1c9858d0702cb7f627e4af888b8c7cfaaceb7356731f101e04c02f7e9d36b2c47a826321cfef953f19
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
356KB
MD5779f561dc93adbf2b40e92ac374f7cf5
SHA1562ca1be06ff75f55893fa5472abbf7bb9fa6625
SHA2562df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa
SHA512d1a3f889c6f60b49d07519ddc73f9108012c8e4b81a01328ac75400bd10888428fed84c81a32da3ff00644e3149ba8ad4fd9720d2bb4c0819619e9f9f2069501
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
356KB
MD5779f561dc93adbf2b40e92ac374f7cf5
SHA1562ca1be06ff75f55893fa5472abbf7bb9fa6625
SHA2562df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa
SHA512d1a3f889c6f60b49d07519ddc73f9108012c8e4b81a01328ac75400bd10888428fed84c81a32da3ff00644e3149ba8ad4fd9720d2bb4c0819619e9f9f2069501
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
356KB
MD5779f561dc93adbf2b40e92ac374f7cf5
SHA1562ca1be06ff75f55893fa5472abbf7bb9fa6625
SHA2562df351f2e7e6f1340f81c6431e88fb2b78f2eaefce58763e7bfd5214985aeaaa
SHA512d1a3f889c6f60b49d07519ddc73f9108012c8e4b81a01328ac75400bd10888428fed84c81a32da3ff00644e3149ba8ad4fd9720d2bb4c0819619e9f9f2069501
-
memory/1308-136-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1308-137-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1308-134-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1308-133-0x0000000000000000-mapping.dmp
-
memory/1308-142-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2168-149-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2168-147-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2168-143-0x0000000000000000-mapping.dmp
-
memory/3356-146-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/3356-148-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/3356-138-0x0000000000000000-mapping.dmp
-
memory/3476-150-0x0000000000000000-mapping.dmp
-
memory/4880-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4880-135-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB