Analysis
-
max time kernel
359s -
max time network
361s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:42
Behavioral task
behavioral1
Sample
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
Resource
win10v2004-20221111-en
General
-
Target
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
-
Size
23KB
-
MD5
b14754884befd3597f7975b9d9a5bc5b
-
SHA1
4d437d94a9c5c5e2a52aedb004970d4872c995f3
-
SHA256
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
-
SHA512
2b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
SSDEEP
384:2weXCQIreJig/8Z7SS1fEBbng6ZgL2IBPZVmRvR6JZlbw8hqIusZzZrc:hLq411URpcnun
Malware Config
Extracted
njrat
0.7d
HacKed
abatata.ddns.net:5552
e7d031ada337226244d99c1bac494695
-
reg_key
e7d031ada337226244d99c1bac494695
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3748 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7d031ada337226244d99c1bac494695 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e7d031ada337226244d99c1bac494695 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exeserver.exedescription pid process target process PID 1980 wrote to memory of 3748 1980 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 1980 wrote to memory of 3748 1980 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 1980 wrote to memory of 3748 1980 4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe server.exe PID 3748 wrote to memory of 2296 3748 server.exe netsh.exe PID 3748 wrote to memory of 2296 3748 server.exe netsh.exe PID 3748 wrote to memory of 2296 3748 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe"C:\Users\Admin\AppData\Local\Temp\4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
memory/1980-132-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/1980-133-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/1980-137-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2296-140-0x0000000000000000-mapping.dmp
-
memory/3748-134-0x0000000000000000-mapping.dmp
-
memory/3748-138-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/3748-139-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB