Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:42
Behavioral task
behavioral1
Sample
f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe
Resource
win10v2004-20220812-en
General
-
Target
f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe
-
Size
23KB
-
MD5
20919f85bf91c4683bd92871ecb89d2e
-
SHA1
f03ca16c1e9cc3ee54ae874d05e3c69d36e978f3
-
SHA256
f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e
-
SHA512
bd167942f2a05a5ff8985ed3ae09723982ba60457e75cd8309bca6b9a736836baf3ed36378bebd1ced36988e1809334aa2c86b057bf10a8f6ec7dc953223d0dc
-
SSDEEP
384:bluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZlkU:kOmhtIiRpcnuo
Malware Config
Extracted
njrat
0.7d
HacKed
ms-punisher.no.-ip.org:5552
b891e7c3d69da1f506442cc213b2a72b
-
reg_key
b891e7c3d69da1f506442cc213b2a72b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4904 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b891e7c3d69da1f506442cc213b2a72b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b891e7c3d69da1f506442cc213b2a72b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe Token: 33 4904 server.exe Token: SeIncBasePriorityPrivilege 4904 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exeserver.exedescription pid process target process PID 2472 wrote to memory of 4904 2472 f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe server.exe PID 2472 wrote to memory of 4904 2472 f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe server.exe PID 2472 wrote to memory of 4904 2472 f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe server.exe PID 4904 wrote to memory of 1484 4904 server.exe netsh.exe PID 4904 wrote to memory of 1484 4904 server.exe netsh.exe PID 4904 wrote to memory of 1484 4904 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe"C:\Users\Admin\AppData\Local\Temp\f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1484
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD520919f85bf91c4683bd92871ecb89d2e
SHA1f03ca16c1e9cc3ee54ae874d05e3c69d36e978f3
SHA256f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e
SHA512bd167942f2a05a5ff8985ed3ae09723982ba60457e75cd8309bca6b9a736836baf3ed36378bebd1ced36988e1809334aa2c86b057bf10a8f6ec7dc953223d0dc
-
Filesize
23KB
MD520919f85bf91c4683bd92871ecb89d2e
SHA1f03ca16c1e9cc3ee54ae874d05e3c69d36e978f3
SHA256f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e
SHA512bd167942f2a05a5ff8985ed3ae09723982ba60457e75cd8309bca6b9a736836baf3ed36378bebd1ced36988e1809334aa2c86b057bf10a8f6ec7dc953223d0dc