Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 16:30
Static task
static1
Behavioral task
behavioral1
Sample
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe
Resource
win10v2004-20220901-en
General
-
Target
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe
-
Size
156KB
-
MD5
36c57457c2c40668e92081f2dfbebdd2
-
SHA1
7413402da144374be19572798e14efe51e72a1cd
-
SHA256
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8
-
SHA512
dab1faf27e8d91b253596d78836bc594a56354af0dbb3530f9fa4cc26194d6f4cfecd16e4911bc4dedf2cee9cf2a9ff38c2ecdc614a08cde7b37fc431fc06b11
-
SSDEEP
3072:Wp9ei9ELN8n4bS8Zl9QJKiFS+RRHlOHdflkRBmolz4wPG:Xi9v4bfL9QJxk+/kFmRf4
Malware Config
Extracted
njrat
0.6.4
new1
yourmain.no-ip.info:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sql_support.exepid process 3452 sql_support.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exesql_support.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\MyApps\\chrome.exe" a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\MyApps\\chrome.exe" sql_support.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exedescription pid process target process PID 372 set thread context of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.tmp RegAsm.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.tmp RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exepid process 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exeRegAsm.exesql_support.exedescription pid process Token: SeDebugPrivilege 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe Token: SeDebugPrivilege 4612 RegAsm.exe Token: SeDebugPrivilege 3452 sql_support.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exeRegAsm.exedescription pid process target process PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 372 wrote to memory of 4612 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe RegAsm.exe PID 4612 wrote to memory of 1048 4612 RegAsm.exe netsh.exe PID 4612 wrote to memory of 1048 4612 RegAsm.exe netsh.exe PID 4612 wrote to memory of 1048 4612 RegAsm.exe netsh.exe PID 372 wrote to memory of 3452 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe sql_support.exe PID 372 wrote to memory of 3452 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe sql_support.exe PID 372 wrote to memory of 3452 372 a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe sql_support.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe"C:\Users\Admin\AppData\Local\Temp\a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exe"C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 4612 C:\Users\Admin\AppData\Local\Temp\chrome.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exeFilesize
156KB
MD536c57457c2c40668e92081f2dfbebdd2
SHA17413402da144374be19572798e14efe51e72a1cd
SHA256a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8
SHA512dab1faf27e8d91b253596d78836bc594a56354af0dbb3530f9fa4cc26194d6f4cfecd16e4911bc4dedf2cee9cf2a9ff38c2ecdc614a08cde7b37fc431fc06b11
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exeFilesize
156KB
MD536c57457c2c40668e92081f2dfbebdd2
SHA17413402da144374be19572798e14efe51e72a1cd
SHA256a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8
SHA512dab1faf27e8d91b253596d78836bc594a56354af0dbb3530f9fa4cc26194d6f4cfecd16e4911bc4dedf2cee9cf2a9ff38c2ecdc614a08cde7b37fc431fc06b11
-
C:\Users\Admin\AppData\Roaming\MyApps\chrome.exeFilesize
156KB
MD536c57457c2c40668e92081f2dfbebdd2
SHA17413402da144374be19572798e14efe51e72a1cd
SHA256a4ce06d69cd23436729342c89905819e2a20040e0c661b8a02d4895e45e943c8
SHA512dab1faf27e8d91b253596d78836bc594a56354af0dbb3530f9fa4cc26194d6f4cfecd16e4911bc4dedf2cee9cf2a9ff38c2ecdc614a08cde7b37fc431fc06b11
-
memory/372-132-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/372-144-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/1048-138-0x0000000000000000-mapping.dmp
-
memory/3452-143-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/3452-147-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/3452-139-0x0000000000000000-mapping.dmp
-
memory/4612-135-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4612-142-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/4612-136-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4612-134-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4612-146-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/4612-133-0x0000000000000000-mapping.dmp