Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 09:26
Behavioral task
behavioral1
Sample
0242b77912d11030997cbf549f41a61c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0242b77912d11030997cbf549f41a61c.exe
Resource
win10v2004-20220812-en
General
-
Target
0242b77912d11030997cbf549f41a61c.exe
-
Size
37KB
-
MD5
0242b77912d11030997cbf549f41a61c
-
SHA1
d0fabf4bf6adff8f2ae3f827bf0a815fe00513cf
-
SHA256
d143d732effee86f0bc7a3862cfbc20b3ff1f0759aa997b7a8a3e5568fdd4337
-
SHA512
52d1b86eb23d6bca79c2752a3a5d43ac5617495a8b0a9d387492e8eef9a56067913ddb79b6dab7228bde473cdca9713d69d642f6b04eac52bbb6cd15e23c706c
-
SSDEEP
384:oalQmY98iM6caSGAZ0ytfBPGHlegiuIWnrAF+rMRTyN/0L+EcoinblneHQM3epzS:9QmGp2Z3tfBPGk9udrM+rMRa8NuW/t
Malware Config
Extracted
njrat
im523
Dibil
7.tcp.eu.ngrok.io:18097
7bb786d3a71613dbb1f2bee12d98405a
-
reg_key
7bb786d3a71613dbb1f2bee12d98405a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Realtek HD Audio Universal Windows.exepid process 2040 Realtek HD Audio Universal Windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0242b77912d11030997cbf549f41a61c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0242b77912d11030997cbf549f41a61c.exe -
Drops startup file 2 IoCs
Processes:
Realtek HD Audio Universal Windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7bb786d3a71613dbb1f2bee12d98405a.exe Realtek HD Audio Universal Windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7bb786d3a71613dbb1f2bee12d98405a.exe Realtek HD Audio Universal Windows.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Realtek HD Audio Universal Windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7bb786d3a71613dbb1f2bee12d98405a = "\"C:\\Users\\Admin\\AppData\\Roaming\\Realtek HD Audio Universal Windows.exe\" .." Realtek HD Audio Universal Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7bb786d3a71613dbb1f2bee12d98405a = "\"C:\\Users\\Admin\\AppData\\Roaming\\Realtek HD Audio Universal Windows.exe\" .." Realtek HD Audio Universal Windows.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Realtek HD Audio Universal Windows.exedescription ioc process File created C:\autorun.inf Realtek HD Audio Universal Windows.exe File opened for modification C:\autorun.inf Realtek HD Audio Universal Windows.exe File created D:\autorun.inf Realtek HD Audio Universal Windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Realtek HD Audio Universal Windows.exepid process 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe 2040 Realtek HD Audio Universal Windows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Realtek HD Audio Universal Windows.exepid process 2040 Realtek HD Audio Universal Windows.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Realtek HD Audio Universal Windows.exedescription pid process Token: SeDebugPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe Token: 33 2040 Realtek HD Audio Universal Windows.exe Token: SeIncBasePriorityPrivilege 2040 Realtek HD Audio Universal Windows.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0242b77912d11030997cbf549f41a61c.exeRealtek HD Audio Universal Windows.exedescription pid process target process PID 4300 wrote to memory of 2040 4300 0242b77912d11030997cbf549f41a61c.exe Realtek HD Audio Universal Windows.exe PID 4300 wrote to memory of 2040 4300 0242b77912d11030997cbf549f41a61c.exe Realtek HD Audio Universal Windows.exe PID 4300 wrote to memory of 2040 4300 0242b77912d11030997cbf549f41a61c.exe Realtek HD Audio Universal Windows.exe PID 2040 wrote to memory of 2492 2040 Realtek HD Audio Universal Windows.exe netsh.exe PID 2040 wrote to memory of 2492 2040 Realtek HD Audio Universal Windows.exe netsh.exe PID 2040 wrote to memory of 2492 2040 Realtek HD Audio Universal Windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0242b77912d11030997cbf549f41a61c.exe"C:\Users\Admin\AppData\Local\Temp\0242b77912d11030997cbf549f41a61c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Windows.exe"C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Windows.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Windows.exe" "Realtek HD Audio Universal Windows.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Windows.exeFilesize
37KB
MD50242b77912d11030997cbf549f41a61c
SHA1d0fabf4bf6adff8f2ae3f827bf0a815fe00513cf
SHA256d143d732effee86f0bc7a3862cfbc20b3ff1f0759aa997b7a8a3e5568fdd4337
SHA51252d1b86eb23d6bca79c2752a3a5d43ac5617495a8b0a9d387492e8eef9a56067913ddb79b6dab7228bde473cdca9713d69d642f6b04eac52bbb6cd15e23c706c
-
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Windows.exeFilesize
37KB
MD50242b77912d11030997cbf549f41a61c
SHA1d0fabf4bf6adff8f2ae3f827bf0a815fe00513cf
SHA256d143d732effee86f0bc7a3862cfbc20b3ff1f0759aa997b7a8a3e5568fdd4337
SHA51252d1b86eb23d6bca79c2752a3a5d43ac5617495a8b0a9d387492e8eef9a56067913ddb79b6dab7228bde473cdca9713d69d642f6b04eac52bbb6cd15e23c706c
-
memory/2040-133-0x0000000000000000-mapping.dmp
-
memory/2040-137-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/2040-139-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/2492-138-0x0000000000000000-mapping.dmp
-
memory/4300-132-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB
-
memory/4300-136-0x0000000074640000-0x0000000074BF1000-memory.dmpFilesize
5.7MB