Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 16:21
Behavioral task
behavioral1
Sample
a1a64f8671681ba96b48cfd025a42449.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a1a64f8671681ba96b48cfd025a42449.exe
Resource
win10v2004-20220812-en
General
-
Target
a1a64f8671681ba96b48cfd025a42449.exe
-
Size
27KB
-
MD5
a1a64f8671681ba96b48cfd025a42449
-
SHA1
13369f1d952151f24a50ab3506ad1541677f46e3
-
SHA256
6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
-
SHA512
d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
SSDEEP
384:EL0M2XwBNOaLNOFs/Av2yeCP1BBvMl7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaSy:St220U0Wl7A/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
Oliver
3.126.224.214:19586
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GeneratorV5Full.exepid process 3544 GeneratorV5Full.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1a64f8671681ba96b48cfd025a42449.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a1a64f8671681ba96b48cfd025a42449.exe -
Drops startup file 2 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exeGeneratorV5Full.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk a1a64f8671681ba96b48cfd025a42449.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk GeneratorV5Full.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GeneratorV5Full.exe" a1a64f8671681ba96b48cfd025a42449.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
GeneratorV5Full.exedescription pid process Token: SeDebugPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe Token: 33 3544 GeneratorV5Full.exe Token: SeIncBasePriorityPrivilege 3544 GeneratorV5Full.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a1a64f8671681ba96b48cfd025a42449.exedescription pid process target process PID 4932 wrote to memory of 3544 4932 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 4932 wrote to memory of 3544 4932 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 4932 wrote to memory of 3544 4932 a1a64f8671681ba96b48cfd025a42449.exe GeneratorV5Full.exe PID 4932 wrote to memory of 4008 4932 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe PID 4932 wrote to memory of 4008 4932 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe PID 4932 wrote to memory of 4008 4932 a1a64f8671681ba96b48cfd025a42449.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a64f8671681ba96b48cfd025a42449.exe"C:\Users\Admin\AppData\Local\Temp\a1a64f8671681ba96b48cfd025a42449.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exeFilesize
27KB
MD5a1a64f8671681ba96b48cfd025a42449
SHA113369f1d952151f24a50ab3506ad1541677f46e3
SHA2566e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
SHA512d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exeFilesize
27KB
MD5a1a64f8671681ba96b48cfd025a42449
SHA113369f1d952151f24a50ab3506ad1541677f46e3
SHA2566e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
SHA512d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c87a0c01932e2b874bc3b392253a663a
SHA151422af62636aaaedfccbe8e4f49ffc027a90989
SHA2568a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c
SHA512ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5586210e5f1de944d08dd141fcadd408a
SHA10b539a283bfe6c23839a5c44f668af3ae205288d
SHA25690a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742
SHA5124a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6
-
memory/3544-134-0x0000000000000000-mapping.dmp
-
memory/3544-141-0x00000000751C0000-0x0000000075771000-memory.dmpFilesize
5.7MB
-
memory/3544-142-0x00000000751C0000-0x0000000075771000-memory.dmpFilesize
5.7MB
-
memory/4008-137-0x0000000000000000-mapping.dmp
-
memory/4932-132-0x00000000751C0000-0x0000000075771000-memory.dmpFilesize
5.7MB
-
memory/4932-133-0x00000000751C0000-0x0000000075771000-memory.dmpFilesize
5.7MB
-
memory/4932-138-0x00000000751C0000-0x0000000075771000-memory.dmpFilesize
5.7MB