Analysis
-
max time kernel
155s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:55
Static task
static1
Behavioral task
behavioral1
Sample
151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe
Resource
win10v2004-20220812-en
General
-
Target
151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe
-
Size
416KB
-
MD5
83771882f3cadc168a06c5900c89a2fa
-
SHA1
ddaa5ba0394fa2dd41806c30aab9dcedcab3c856
-
SHA256
151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57
-
SHA512
4b54b280d74ef1fabe0fa1bb3444650570517b6a8079371794b6cb0ab077d2eb7c7bf0c080799d1338568ea690c51cafd071dbb3cf7afd30ed6da25f85a81ced
-
SSDEEP
6144:/V6JHMBmCeHXBzVdwvuePgSRDooIOq0gkiYpQ/:/cGoZeISRMmYYp
Malware Config
Extracted
njrat
0.7d
HacKed
aloneone91.hopper.pw:1991
5f5756082ee9ac1134f0cd5572ac803a
-
reg_key
5f5756082ee9ac1134f0cd5572ac803a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.execsrss.exepid process 1140 winlogon.exe 3728 winlogon.exe 2664 csrss.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exewinlogon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 1140 set thread context of 3728 1140 winlogon.exe winlogon.exe -
Drops file in Windows directory 4 IoCs
Processes:
winlogon.exe151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new winlogon.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new winlogon.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
csrss.exepid process 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe 2664 csrss.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
csrss.exewinlogon.exedescription pid process Token: SeDebugPrivilege 2664 csrss.exe Token: SeDebugPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe Token: 33 3728 winlogon.exe Token: SeIncBasePriorityPrivilege 3728 winlogon.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exewinlogon.exewinlogon.exedescription pid process target process PID 812 wrote to memory of 1140 812 151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe winlogon.exe PID 812 wrote to memory of 1140 812 151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe winlogon.exe PID 812 wrote to memory of 1140 812 151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 3728 1140 winlogon.exe winlogon.exe PID 1140 wrote to memory of 2664 1140 winlogon.exe csrss.exe PID 1140 wrote to memory of 2664 1140 winlogon.exe csrss.exe PID 1140 wrote to memory of 2664 1140 winlogon.exe csrss.exe PID 3728 wrote to memory of 4880 3728 winlogon.exe netsh.exe PID 3728 wrote to memory of 4880 3728 winlogon.exe netsh.exe PID 3728 wrote to memory of 4880 3728 winlogon.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe"C:\Users\Admin\AppData\Local\Temp\151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe" "winlogon.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 3728 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 3728 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exeFilesize
416KB
MD583771882f3cadc168a06c5900c89a2fa
SHA1ddaa5ba0394fa2dd41806c30aab9dcedcab3c856
SHA256151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57
SHA5124b54b280d74ef1fabe0fa1bb3444650570517b6a8079371794b6cb0ab077d2eb7c7bf0c080799d1338568ea690c51cafd071dbb3cf7afd30ed6da25f85a81ced
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exeFilesize
416KB
MD583771882f3cadc168a06c5900c89a2fa
SHA1ddaa5ba0394fa2dd41806c30aab9dcedcab3c856
SHA256151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57
SHA5124b54b280d74ef1fabe0fa1bb3444650570517b6a8079371794b6cb0ab077d2eb7c7bf0c080799d1338568ea690c51cafd071dbb3cf7afd30ed6da25f85a81ced
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
416KB
MD583771882f3cadc168a06c5900c89a2fa
SHA1ddaa5ba0394fa2dd41806c30aab9dcedcab3c856
SHA256151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57
SHA5124b54b280d74ef1fabe0fa1bb3444650570517b6a8079371794b6cb0ab077d2eb7c7bf0c080799d1338568ea690c51cafd071dbb3cf7afd30ed6da25f85a81ced
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
416KB
MD583771882f3cadc168a06c5900c89a2fa
SHA1ddaa5ba0394fa2dd41806c30aab9dcedcab3c856
SHA256151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57
SHA5124b54b280d74ef1fabe0fa1bb3444650570517b6a8079371794b6cb0ab077d2eb7c7bf0c080799d1338568ea690c51cafd071dbb3cf7afd30ed6da25f85a81ced
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
416KB
MD583771882f3cadc168a06c5900c89a2fa
SHA1ddaa5ba0394fa2dd41806c30aab9dcedcab3c856
SHA256151f1e943b65d61b4243cc03061ec7c2f9be074008d1e987e4246f3f3699cb57
SHA5124b54b280d74ef1fabe0fa1bb3444650570517b6a8079371794b6cb0ab077d2eb7c7bf0c080799d1338568ea690c51cafd071dbb3cf7afd30ed6da25f85a81ced
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchFilesize
514B
MD575f4ac0fdaa8f343dc5de2709ef73573
SHA14e2eff866858ea0b2b2b2425a9f183bcd83d27d9
SHA256cd39a1fa2a574e3d032165da9457f80d7bd0c08b627b48dd36d407f0177480c9
SHA5129f6154a944fd203f538e5114f5566f9e3f47c3923815d0633e1461305ae8cdb66f5e582575e925b627801dc929915bde45b5b42d8030030e88a933ee45d346aa
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchFilesize
514B
MD575f4ac0fdaa8f343dc5de2709ef73573
SHA14e2eff866858ea0b2b2b2425a9f183bcd83d27d9
SHA256cd39a1fa2a574e3d032165da9457f80d7bd0c08b627b48dd36d407f0177480c9
SHA5129f6154a944fd203f538e5114f5566f9e3f47c3923815d0633e1461305ae8cdb66f5e582575e925b627801dc929915bde45b5b42d8030030e88a933ee45d346aa
-
memory/812-132-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/812-133-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/812-147-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1140-137-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1140-153-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1140-138-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1140-134-0x0000000000000000-mapping.dmp
-
memory/2664-148-0x0000000000000000-mapping.dmp
-
memory/2664-152-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2664-156-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3728-141-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3728-139-0x0000000000000000-mapping.dmp
-
memory/3728-146-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3728-140-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3728-142-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3728-155-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/4880-154-0x0000000000000000-mapping.dmp