b5b601f10aa5bd54485c06f1df7633e51c172d7053b9b437fe693ede43b6d8c4

Analysis

max time kernel
182s
max time network
355s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NjRat Attacker.exe
Size

703KB
MD5

9936a450d518824463e30cf007020244
SHA1

14a72c0f04982dcda07a45ade15cf27d1b482ffe
SHA256

4f8418dc705be19e5d031bf388a698633541b5697f18c935013b011010f840ef
SHA512

16d0105bcd008000442ab6b61065e56e6c57e3aafde6231baa712c44510083f467ca07c52deca03c4aa42fa71301f955086bda442ae9fd272fcaa4869d7ec7fc
SSDEEP

12288:IwEjZRYiaqpvzSnGIJWDW4+FCOFehumXluwvRZX7jFjVHkoLic:UZeOvzS3JWDW4YC6ZmX3Z3VVV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Server.exe

pid process

4300 Server.exe

pid	process
4300	Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NjRat Attacker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	NjRat Attacker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NjRat Attacker.exe

description	pid	process	target process
PID 1608 wrote to memory of 4300	1608	NjRat Attacker.exe	Server.exe
PID 1608 wrote to memory of 4300	1608	NjRat Attacker.exe	Server.exe
PID 1608 wrote to memory of 4300	1608	NjRat Attacker.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\NjRat Attacker.exe
"C:\Users\Admin\AppData\Local\Temp\NjRat Attacker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
bb803adb69c65916507ce753ad4d2ff3

SHA1
120dfd761204de4b337f1565bad87c807ec1da48

SHA256
2f40577e93c47b014bdbd0e878e39c585f3263c9f6837627a4b3c3e159169309

SHA512
8113319e75a6628c2c2ff160cc4da6d7157ee5d358a92cc7621a92da2bb5eb3c1744ad22982f4b9e55ce15631d151660855077aa6ac89ae01ca6052e620cc5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
bb803adb69c65916507ce753ad4d2ff3

SHA1
120dfd761204de4b337f1565bad87c807ec1da48

SHA256
2f40577e93c47b014bdbd0e878e39c585f3263c9f6837627a4b3c3e159169309

SHA512
8113319e75a6628c2c2ff160cc4da6d7157ee5d358a92cc7621a92da2bb5eb3c1744ad22982f4b9e55ce15631d151660855077aa6ac89ae01ca6052e620cc5a1

Download Submit
memory/4300-132-0x0000000000000000-mapping.dmp

Download
memory/4300-135-0x00000000735A0000-0x0000000073B51000-memory.dmp

Filesize
5.7MB

Download
memory/4300-136-0x00000000735A0000-0x0000000073B51000-memory.dmp

Filesize
5.7MB

Download