Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 19:16
Behavioral task
behavioral1
Sample
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe
Resource
win10v2004-20220812-en
General
-
Target
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe
-
Size
23KB
-
MD5
1b5d01ad390e8ca90fc4708a21f1b846
-
SHA1
88a27e59b8ec194d96a6d5f947a888310f95bbe8
-
SHA256
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e
-
SHA512
9fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586
-
SSDEEP
384:PluBPiZCMfdfSJrQbsLRGSIxYeL46Dg/i8BD9BmRvR6JZlbw8hqIusZzZiZ:4OmhtItRpcnuF
Malware Config
Extracted
njrat
0.7d
HacKed
bodylol2.no-ip.biz:1177
42de0ab5567f78f85e9d2682d65bbf19
-
reg_key
42de0ab5567f78f85e9d2682d65bbf19
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 2164 System.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe -
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42de0ab5567f78f85e9d2682d65bbf19.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42de0ab5567f78f85e9d2682d65bbf19.exe System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42de0ab5567f78f85e9d2682d65bbf19 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42de0ab5567f78f85e9d2682d65bbf19 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe Token: 33 2164 System.exe Token: SeIncBasePriorityPrivilege 2164 System.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exeSystem.exedescription pid process target process PID 4664 wrote to memory of 2164 4664 cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe System.exe PID 4664 wrote to memory of 2164 4664 cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe System.exe PID 4664 wrote to memory of 2164 4664 cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe System.exe PID 2164 wrote to memory of 3060 2164 System.exe netsh.exe PID 2164 wrote to memory of 3060 2164 System.exe netsh.exe PID 2164 wrote to memory of 3060 2164 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe"C:\Users\Admin\AppData\Local\Temp\cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System.exeFilesize
23KB
MD51b5d01ad390e8ca90fc4708a21f1b846
SHA188a27e59b8ec194d96a6d5f947a888310f95bbe8
SHA256cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e
SHA5129fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586
-
C:\Users\Admin\AppData\Local\Temp\System.exeFilesize
23KB
MD51b5d01ad390e8ca90fc4708a21f1b846
SHA188a27e59b8ec194d96a6d5f947a888310f95bbe8
SHA256cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e
SHA5129fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586
-
memory/2164-134-0x0000000000000000-mapping.dmp
-
memory/2164-137-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/2164-140-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/3060-139-0x0000000000000000-mapping.dmp
-
memory/4664-132-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/4664-133-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/4664-138-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB