Analysis
-
max time kernel
156s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
pdf.exe
Resource
win7-20221111-en
General
-
Target
pdf.exe
-
Size
102KB
-
MD5
b04423987d7a01ca1bf5b1f8f2b77b0c
-
SHA1
6468823f6da30059a2750cf2b4599fdb8e450f05
-
SHA256
8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
-
SHA512
c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
-
SSDEEP
1536:TcTbDj6OLC73ybzlr6kI+KEBXiI40n6aDnOae98fAaMGSSpvvKet2Hbq86Dm:TcX6OWqzlUUBSpE6aDOOvvNtP86Dm
Malware Config
Extracted
njrat
0.6.4
nEwHacKed
slowburn.linkpc.net:6760
a5e14c6feeac7389fad3a06801dddd4f
-
reg_key
a5e14c6feeac7389fad3a06801dddd4f
-
splitter
|'|'|
Extracted
pony
http://slow1234.serveftp.com/duos/gate.php
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\reader\\adobe.exe,explorer.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
njratbin.exepid process 3940 njratbin.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/memory/4344-139-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4344-142-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4344-145-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4344-148-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4344-150-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4344-152-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts pdf.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
pdf.exedescription pid process target process PID 744 set thread context of 3848 744 pdf.exe pdf.exe PID 744 set thread context of 4344 744 pdf.exe pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
pdf.exenjratbin.exepid process 744 pdf.exe 744 pdf.exe 744 pdf.exe 744 pdf.exe 744 pdf.exe 744 pdf.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe 3940 njratbin.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
pdf.exepdf.exenjratbin.exedescription pid process Token: SeDebugPrivilege 744 pdf.exe Token: SeImpersonatePrivilege 4344 pdf.exe Token: SeTcbPrivilege 4344 pdf.exe Token: SeChangeNotifyPrivilege 4344 pdf.exe Token: SeCreateTokenPrivilege 4344 pdf.exe Token: SeBackupPrivilege 4344 pdf.exe Token: SeRestorePrivilege 4344 pdf.exe Token: SeIncreaseQuotaPrivilege 4344 pdf.exe Token: SeAssignPrimaryTokenPrivilege 4344 pdf.exe Token: SeDebugPrivilege 3940 njratbin.exe Token: SeImpersonatePrivilege 4344 pdf.exe Token: SeTcbPrivilege 4344 pdf.exe Token: SeChangeNotifyPrivilege 4344 pdf.exe Token: SeCreateTokenPrivilege 4344 pdf.exe Token: SeBackupPrivilege 4344 pdf.exe Token: SeRestorePrivilege 4344 pdf.exe Token: SeIncreaseQuotaPrivilege 4344 pdf.exe Token: SeAssignPrimaryTokenPrivilege 4344 pdf.exe Token: SeImpersonatePrivilege 4344 pdf.exe Token: SeTcbPrivilege 4344 pdf.exe Token: SeChangeNotifyPrivilege 4344 pdf.exe Token: SeCreateTokenPrivilege 4344 pdf.exe Token: SeBackupPrivilege 4344 pdf.exe Token: SeRestorePrivilege 4344 pdf.exe Token: SeIncreaseQuotaPrivilege 4344 pdf.exe Token: SeAssignPrimaryTokenPrivilege 4344 pdf.exe Token: SeImpersonatePrivilege 4344 pdf.exe Token: SeTcbPrivilege 4344 pdf.exe Token: SeChangeNotifyPrivilege 4344 pdf.exe Token: SeCreateTokenPrivilege 4344 pdf.exe Token: SeBackupPrivilege 4344 pdf.exe Token: SeRestorePrivilege 4344 pdf.exe Token: SeIncreaseQuotaPrivilege 4344 pdf.exe Token: SeAssignPrimaryTokenPrivilege 4344 pdf.exe Token: SeImpersonatePrivilege 4344 pdf.exe Token: SeTcbPrivilege 4344 pdf.exe Token: SeChangeNotifyPrivilege 4344 pdf.exe Token: SeCreateTokenPrivilege 4344 pdf.exe Token: SeBackupPrivilege 4344 pdf.exe Token: SeRestorePrivilege 4344 pdf.exe Token: SeIncreaseQuotaPrivilege 4344 pdf.exe Token: SeAssignPrimaryTokenPrivilege 4344 pdf.exe Token: SeImpersonatePrivilege 4344 pdf.exe Token: SeTcbPrivilege 4344 pdf.exe Token: SeChangeNotifyPrivilege 4344 pdf.exe Token: SeCreateTokenPrivilege 4344 pdf.exe Token: SeBackupPrivilege 4344 pdf.exe Token: SeRestorePrivilege 4344 pdf.exe Token: SeIncreaseQuotaPrivilege 4344 pdf.exe Token: SeAssignPrimaryTokenPrivilege 4344 pdf.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
pdf.execmd.exenjratbin.exedescription pid process target process PID 744 wrote to memory of 4148 744 pdf.exe cmd.exe PID 744 wrote to memory of 4148 744 pdf.exe cmd.exe PID 744 wrote to memory of 4148 744 pdf.exe cmd.exe PID 4148 wrote to memory of 4100 4148 cmd.exe reg.exe PID 4148 wrote to memory of 4100 4148 cmd.exe reg.exe PID 4148 wrote to memory of 4100 4148 cmd.exe reg.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 3848 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 4344 744 pdf.exe pdf.exe PID 744 wrote to memory of 3940 744 pdf.exe njratbin.exe PID 744 wrote to memory of 3940 744 pdf.exe njratbin.exe PID 744 wrote to memory of 3940 744 pdf.exe njratbin.exe PID 3940 wrote to memory of 2552 3940 njratbin.exe netsh.exe PID 3940 wrote to memory of 2552 3940 njratbin.exe netsh.exe PID 3940 wrote to memory of 2552 3940 njratbin.exe netsh.exe -
outlook_win_path 1 IoCs
Processes:
pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pdf.exe"C:\Users\Admin\AppData\Local\Temp\pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\reader\adobe.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\reader\adobe.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\pdf.exe"C:\Users\Admin\AppData\Local\Temp\pdf.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\pdf.exe"C:\Users\Admin\AppData\Local\Temp\pdf.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\njratbin.exe"C:\Users\Admin\AppData\Local\Temp\njratbin.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njratbin.exe" "njratbin.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\njratbin.exeFilesize
29KB
MD5007a4bd3c704a1ddd7d1b04ee9d91c27
SHA160843e7a18316d258afba4690a5ecc62c1045795
SHA2564442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a
SHA512e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838
-
C:\Users\Admin\AppData\Local\Temp\njratbin.exeFilesize
29KB
MD5007a4bd3c704a1ddd7d1b04ee9d91c27
SHA160843e7a18316d258afba4690a5ecc62c1045795
SHA2564442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a
SHA512e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838
-
memory/744-133-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/744-132-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/744-146-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/2552-147-0x0000000000000000-mapping.dmp
-
memory/3848-136-0x0000000000000000-mapping.dmp
-
memory/3940-151-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/3940-149-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/3940-141-0x0000000000000000-mapping.dmp
-
memory/4100-135-0x0000000000000000-mapping.dmp
-
memory/4148-134-0x0000000000000000-mapping.dmp
-
memory/4344-142-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4344-145-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4344-148-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4344-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4344-150-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4344-138-0x0000000000000000-mapping.dmp
-
memory/4344-152-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB