Analysis
-
max time kernel
176s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 16:57
Behavioral task
behavioral1
Sample
onling.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
onling.exe
Resource
win10v2004-20220812-en
General
-
Target
onling.exe
-
Size
23KB
-
MD5
e49ba092469c2d5813bdf3259050f977
-
SHA1
1d65cb5388cfc4ae2f91531e8dcb3b1caa598076
-
SHA256
8eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
-
SHA512
5463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
SSDEEP
384:4+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZNc:nm+71d5XRpcnu5
Malware Config
Extracted
njrat
0.7d
dofus
volkov2014.ddns.net:123
3634b8c969047b1aa244e63e9c21a96a
-
reg_key
3634b8c969047b1aa244e63e9c21a96a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4692 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
onling.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation onling.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3634b8c969047b1aa244e63e9c21a96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3634b8c969047b1aa244e63e9c21a96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe Token: 33 4692 server.exe Token: SeIncBasePriorityPrivilege 4692 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
onling.exeserver.exedescription pid process target process PID 1152 wrote to memory of 4692 1152 onling.exe server.exe PID 1152 wrote to memory of 4692 1152 onling.exe server.exe PID 1152 wrote to memory of 4692 1152 onling.exe server.exe PID 4692 wrote to memory of 4616 4692 server.exe netsh.exe PID 4692 wrote to memory of 4616 4692 server.exe netsh.exe PID 4692 wrote to memory of 4616 4692 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\onling.exe"C:\Users\Admin\AppData\Local\Temp\onling.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5e49ba092469c2d5813bdf3259050f977
SHA11d65cb5388cfc4ae2f91531e8dcb3b1caa598076
SHA2568eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
SHA5125463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5e49ba092469c2d5813bdf3259050f977
SHA11d65cb5388cfc4ae2f91531e8dcb3b1caa598076
SHA2568eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
SHA5125463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
-
memory/1152-132-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB
-
memory/1152-133-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB
-
memory/1152-137-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB
-
memory/4616-139-0x0000000000000000-mapping.dmp
-
memory/4692-134-0x0000000000000000-mapping.dmp
-
memory/4692-138-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB
-
memory/4692-140-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB