Analysis
-
max time kernel
182s -
max time network
355s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 14:47
Behavioral task
behavioral1
Sample
NjRat Attacker.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
NjRat Attacker.exe
Resource
win10v2004-20221111-en
General
-
Target
NjRat Attacker.exe
-
Size
703KB
-
MD5
9936a450d518824463e30cf007020244
-
SHA1
14a72c0f04982dcda07a45ade15cf27d1b482ffe
-
SHA256
4f8418dc705be19e5d031bf388a698633541b5697f18c935013b011010f840ef
-
SHA512
16d0105bcd008000442ab6b61065e56e6c57e3aafde6231baa712c44510083f467ca07c52deca03c4aa42fa71301f955086bda442ae9fd272fcaa4869d7ec7fc
-
SSDEEP
12288:IwEjZRYiaqpvzSnGIJWDW4+FCOFehumXluwvRZX7jFjVHkoLic:UZeOvzS3JWDW4YC6ZmX3Z3VVV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 4300 Server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NjRat Attacker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation NjRat Attacker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
NjRat Attacker.exedescription pid process target process PID 1608 wrote to memory of 4300 1608 NjRat Attacker.exe Server.exe PID 1608 wrote to memory of 4300 1608 NjRat Attacker.exe Server.exe PID 1608 wrote to memory of 4300 1608 NjRat Attacker.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NjRat Attacker.exe"C:\Users\Admin\AppData\Local\Temp\NjRat Attacker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5bb803adb69c65916507ce753ad4d2ff3
SHA1120dfd761204de4b337f1565bad87c807ec1da48
SHA2562f40577e93c47b014bdbd0e878e39c585f3263c9f6837627a4b3c3e159169309
SHA5128113319e75a6628c2c2ff160cc4da6d7157ee5d358a92cc7621a92da2bb5eb3c1744ad22982f4b9e55ce15631d151660855077aa6ac89ae01ca6052e620cc5a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5bb803adb69c65916507ce753ad4d2ff3
SHA1120dfd761204de4b337f1565bad87c807ec1da48
SHA2562f40577e93c47b014bdbd0e878e39c585f3263c9f6837627a4b3c3e159169309
SHA5128113319e75a6628c2c2ff160cc4da6d7157ee5d358a92cc7621a92da2bb5eb3c1744ad22982f4b9e55ce15631d151660855077aa6ac89ae01ca6052e620cc5a1
-
memory/4300-132-0x0000000000000000-mapping.dmp
-
memory/4300-135-0x00000000735A0000-0x0000000073B51000-memory.dmpFilesize
5.7MB
-
memory/4300-136-0x00000000735A0000-0x0000000073B51000-memory.dmpFilesize
5.7MB