Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 19:58
Static task
static1
Behavioral task
behavioral1
Sample
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Resource
win10v2004-20220812-en
General
-
Target
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
-
Size
320KB
-
MD5
4e58b28c75b9b08b0e186092957e2bf0
-
SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0
-
SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399
-
SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92
-
SSDEEP
6144:imIPHg6U7zLHeAecv8mRw+BhYsNz+MAiuKAf8bpArz0zmF:im8HP0nHxx8mm+jYsczHK+8bwz06F
Malware Config
Extracted
njrat
0.7d
Hack
91.236.116.112:1604
16bb9e8a80e81119cd60a1f6a7412350
-
reg_key
16bb9e8a80e81119cd60a1f6a7412350
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exefolder.exepid process 4888 winlogon.exe 3340 winlogon.exe 2008 winlogon.exe 3836 folder.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exewinlogon.exewinlogon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 4888 set thread context of 2008 4888 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 3 IoCs
Processes:
cmd.exe163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe File opened for modification C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier cmd.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exewinlogon.exewinlogon.exedescription pid process target process PID 4824 wrote to memory of 4468 4824 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe cmd.exe PID 4824 wrote to memory of 4468 4824 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe cmd.exe PID 4824 wrote to memory of 4888 4824 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe winlogon.exe PID 4824 wrote to memory of 4888 4824 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe winlogon.exe PID 4888 wrote to memory of 4236 4888 winlogon.exe cmd.exe PID 4888 wrote to memory of 4236 4888 winlogon.exe cmd.exe PID 4888 wrote to memory of 3340 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 3340 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 3340 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 4888 wrote to memory of 2008 4888 winlogon.exe winlogon.exe PID 2008 wrote to memory of 3836 2008 winlogon.exe folder.exe PID 2008 wrote to memory of 3836 2008 winlogon.exe folder.exe PID 2008 wrote to memory of 3836 2008 winlogon.exe folder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe"C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe"1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe":ZONE.identifier & exit2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit3⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\folder.exe"C:\Users\Admin\AppData\Local\Temp\folder.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exeFilesize
320KB
MD54e58b28c75b9b08b0e186092957e2bf0
SHA19352d6772eab4356c1179a64a7654a8fbccd33e0
SHA256163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399
SHA5121e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92
-
C:\Users\Admin\AppData\Local\Temp\folder.exeFilesize
3KB
MD50f23e02eee910cca425990e1c2309541
SHA1ae625a1f94396f82b8179a95873f8007a3e70604
SHA2569bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517
SHA512c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed
-
C:\Users\Admin\AppData\Local\Temp\folder.exeFilesize
3KB
MD50f23e02eee910cca425990e1c2309541
SHA1ae625a1f94396f82b8179a95873f8007a3e70604
SHA2569bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517
SHA512c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeFilesize
3KB
MD50f23e02eee910cca425990e1c2309541
SHA1ae625a1f94396f82b8179a95873f8007a3e70604
SHA2569bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517
SHA512c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeFilesize
3KB
MD50f23e02eee910cca425990e1c2309541
SHA1ae625a1f94396f82b8179a95873f8007a3e70604
SHA2569bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517
SHA512c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeFilesize
3KB
MD50f23e02eee910cca425990e1c2309541
SHA1ae625a1f94396f82b8179a95873f8007a3e70604
SHA2569bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517
SHA512c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
320KB
MD54e58b28c75b9b08b0e186092957e2bf0
SHA19352d6772eab4356c1179a64a7654a8fbccd33e0
SHA256163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399
SHA5121e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
320KB
MD54e58b28c75b9b08b0e186092957e2bf0
SHA19352d6772eab4356c1179a64a7654a8fbccd33e0
SHA256163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399
SHA5121e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92
-
memory/2008-142-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2008-141-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2008-143-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2008-145-0x000000000040747E-mapping.dmp
-
memory/2008-148-0x0000000074F20000-0x00000000754D1000-memory.dmpFilesize
5.7MB
-
memory/2008-153-0x0000000074F20000-0x00000000754D1000-memory.dmpFilesize
5.7MB
-
memory/3836-149-0x0000000000000000-mapping.dmp
-
memory/3836-152-0x0000000074F20000-0x00000000754D1000-memory.dmpFilesize
5.7MB
-
memory/4236-139-0x0000000000000000-mapping.dmp
-
memory/4468-133-0x0000000000000000-mapping.dmp
-
memory/4824-132-0x00007FFCC24A0000-0x00007FFCC2ED6000-memory.dmpFilesize
10.2MB
-
memory/4888-138-0x00007FFCC24A0000-0x00007FFCC2ED6000-memory.dmpFilesize
10.2MB
-
memory/4888-135-0x0000000000000000-mapping.dmp