Analysis
-
max time kernel
175s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:09
Behavioral task
behavioral1
Sample
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe
Resource
win7-20220901-en
General
-
Target
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe
-
Size
240KB
-
MD5
b30fee632f6b18eb2ff5a49a4e5d7883
-
SHA1
550238b070088e906fa9ee2aa3477a1321498173
-
SHA256
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c
-
SHA512
28aae9d2412729144d757a489807cb8761abe5f0a93dd43ac3c41d6e03e8c5d67208feebcd421663fc794a26612e2554ed0f53ed583c45b1501e4e0748e8c826
-
SSDEEP
6144:de95/jDSDls2IN4vuSACO9yux887vyYlPEAOlfJO2EgFTuUB5aW:deyvKz92xhETUx
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
279f6960ed84a752570aca7fb2dc1552
-
reg_key
279f6960ed84a752570aca7fb2dc1552
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 4552 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2132-132-0x00000000003B0000-0x00000000003BC000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000179" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3927030912" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d4c4ef7306d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000099032978ccb97b6cc46bbfe8df9b5978dc5a9432a50ddee8e241b6df7eaf36e7000000000e8000000002000020000000d5088093ff3423e831f8dcbc95c302b6d7ca7c937d964ea82804ec462e372fa1200000007510b383e8131ec64965f2ae8ecff44b94447a9d7063612230cd0f7c6323cab740000000d9ad58e44627556b6111bb79141ed918cd60a31665f7352c8c3853282a5ff9b48acadc1580bcc3402cf71a6151152e4e00a0e241e8928f999b42916726057638 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376164145" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000049e4c902a95965a6fa225118de3f6d316b3f5ce731554d27e223176fe03657f8000000000e8000000002000020000000fc6e04168f5e5a74f504aad771b2df090737ca68740cadb726de27cdbc25867c20000000e0d14226a8cde7b33f2dfde1d8ac1bc606ea4b67f5b79beed1bd2c80cdfbf91340000000c1214810757b93a3fb41ce2870b6c4bbeebd0283c8d85a7ade43c210ac3b2db830acdc1b474940705b374170bad81e1283b92e6f6908b7254e61e471c9dd171d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000179" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c050eaf57306d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3927030912" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{122A1C8D-7267-11ED-BF5F-4EF50EB22100} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Modifies registry class 1 IoCs
Processes:
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4048 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exeServer.exedescription pid process Token: SeDebugPrivilege 2132 d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe Token: SeDebugPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe Token: 33 4552 Server.exe Token: SeIncBasePriorityPrivilege 4552 Server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4048 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4048 iexplore.exe 4048 iexplore.exe 2100 IEXPLORE.EXE 2100 IEXPLORE.EXE 2100 IEXPLORE.EXE 2100 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exeiexplore.exeServer.exedescription pid process target process PID 2132 wrote to memory of 4552 2132 d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe Server.exe PID 2132 wrote to memory of 4552 2132 d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe Server.exe PID 2132 wrote to memory of 4552 2132 d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe Server.exe PID 2132 wrote to memory of 4048 2132 d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe iexplore.exe PID 2132 wrote to memory of 4048 2132 d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe iexplore.exe PID 4048 wrote to memory of 2100 4048 iexplore.exe IEXPLORE.EXE PID 4048 wrote to memory of 2100 4048 iexplore.exe IEXPLORE.EXE PID 4048 wrote to memory of 2100 4048 iexplore.exe IEXPLORE.EXE PID 4552 wrote to memory of 3164 4552 Server.exe netsh.exe PID 4552 wrote to memory of 3164 4552 Server.exe netsh.exe PID 4552 wrote to memory of 3164 4552 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe"C:\Users\Admin\AppData\Local\Temp\d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\صورة.gif2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4048 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
23KB
MD5b4ecb77429fd8fb0c2ad0b2e82b99a2a
SHA164c90eb7b4c8cf8585fee8950cf842a77546f561
SHA2560be44ad34deda92d7ce2c7e0093c398606deec502327a9639cc7e574509677c0
SHA5128333d34d6f9a3cce4fc6c265c5b2ed08839a4f3533b0fdb7fb46e735d64fc61278e226f1c5e67371b98f4b6fa48d33948dc3a04cd4bdee35d18fa4267bd455ce
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
23KB
MD5b4ecb77429fd8fb0c2ad0b2e82b99a2a
SHA164c90eb7b4c8cf8585fee8950cf842a77546f561
SHA2560be44ad34deda92d7ce2c7e0093c398606deec502327a9639cc7e574509677c0
SHA5128333d34d6f9a3cce4fc6c265c5b2ed08839a4f3533b0fdb7fb46e735d64fc61278e226f1c5e67371b98f4b6fa48d33948dc3a04cd4bdee35d18fa4267bd455ce
-
C:\Users\Admin\AppData\Local\Temp\صورة.gifFilesize
59KB
MD5741c4e52b72bf081956f2bad797af2b3
SHA1f21726792e66c1b171e03b06fd3f6dcd2195bc28
SHA256ba15f81908ea9cced0d302abbd863f2762dc000d192adcc2532a634c37a0570c
SHA51248525d79274e84bdde118de182775624fcf6ea34b89dd612dfd990d5b4a5048d89f28daab8913afe42027423ed0616272f7ce5475c485318a3bfe05667a2a095
-
memory/2132-132-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/2132-133-0x00007FF80F140000-0x00007FF80FC01000-memory.dmpFilesize
10.8MB
-
memory/2132-136-0x00007FF80F140000-0x00007FF80FC01000-memory.dmpFilesize
10.8MB
-
memory/3164-141-0x0000000000000000-mapping.dmp
-
memory/4552-134-0x0000000000000000-mapping.dmp
-
memory/4552-138-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/4552-140-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB