Analysis
-
max time kernel
172s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:43
Behavioral task
behavioral1
Sample
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe
Resource
win10v2004-20220812-en
General
-
Target
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe
-
Size
23KB
-
MD5
74780f3763b7d5b363fef25920dbadb9
-
SHA1
8c6de60d4b88c9b5157acdd94e50d9495f45ceaf
-
SHA256
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
-
SHA512
132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
SSDEEP
384:vcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZBu:030py6vhxaRpcnuD
Malware Config
Extracted
njrat
0.7d
HacKed
fuzzyhf.duckdns.org:83
f5745fbc2df9d21e00fadcaa45b4b04a
-
reg_key
f5745fbc2df9d21e00fadcaa45b4b04a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
msconfig.exepid process 1984 msconfig.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe -
Drops startup file 2 IoCs
Processes:
msconfig.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5745fbc2df9d21e00fadcaa45b4b04a.exe msconfig.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5745fbc2df9d21e00fadcaa45b4b04a.exe msconfig.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msconfig.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f5745fbc2df9d21e00fadcaa45b4b04a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msconfig.exe\" .." msconfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5745fbc2df9d21e00fadcaa45b4b04a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msconfig.exe\" .." msconfig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
msconfig.exedescription pid process Token: SeDebugPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe Token: 33 1984 msconfig.exe Token: SeIncBasePriorityPrivilege 1984 msconfig.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exemsconfig.exedescription pid process target process PID 4688 wrote to memory of 1984 4688 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 4688 wrote to memory of 1984 4688 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 4688 wrote to memory of 1984 4688 e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe msconfig.exe PID 1984 wrote to memory of 1772 1984 msconfig.exe netsh.exe PID 1984 wrote to memory of 1772 1984 msconfig.exe netsh.exe PID 1984 wrote to memory of 1772 1984 msconfig.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe"C:\Users\Admin\AppData\Local\Temp\e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msconfig.exe"C:\Users\Admin\AppData\Local\Temp\msconfig.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\msconfig.exe" "msconfig.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msconfig.exeFilesize
23KB
MD574780f3763b7d5b363fef25920dbadb9
SHA18c6de60d4b88c9b5157acdd94e50d9495f45ceaf
SHA256e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
SHA512132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
C:\Users\Admin\AppData\Local\Temp\msconfig.exeFilesize
23KB
MD574780f3763b7d5b363fef25920dbadb9
SHA18c6de60d4b88c9b5157acdd94e50d9495f45ceaf
SHA256e23d2c38f9950e240224323130432eb402990c609078ad23820450a3eff0c553
SHA512132363ced9472520f7a8a6bd7a362ba310a353ea60d108e8a26e8a780e0e47f57ba3f312bf403d9e5d96eaa92170fe254b96c8f7af99f6d8aded6e69780c42e2
-
memory/1772-139-0x0000000000000000-mapping.dmp
-
memory/1984-134-0x0000000000000000-mapping.dmp
-
memory/1984-138-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/1984-140-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4688-132-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4688-133-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4688-137-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB