Analysis
-
max time kernel
174s -
max time network
427s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 19:38
Behavioral task
behavioral1
Sample
a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe
Resource
win7-20220812-en
General
-
Target
a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe
-
Size
29KB
-
MD5
3490a3125771a2ddd8d9d633be4201b0
-
SHA1
134db4d28672703ca6670b3f8d8823b1b1f877fe
-
SHA256
a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8
-
SHA512
96ecf261d86f97cc0b091cc01ff109ece03bbbbbf20cdf00fb50b6f1024ffc966602bf20b1ada0f802c616c0797276e5afbfe0e6a488391d787e10a0fa15f0d2
-
SSDEEP
384:CPqvANl7TxTD+VF2dbofPauxnaIuN15708COmqDk9jeHqGBsbh0w4wlAokw9Ohgd:5u75oa4fuTC8cqojeVBKh0p29SgRTn
Malware Config
Extracted
njrat
0.6.4
Stiva
stivadns.zapto.org:1177
c628feb012b1a51cfd51ff0ba11260eb
-
reg_key
c628feb012b1a51cfd51ff0ba11260eb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Java.exepid process 2356 Java.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exedescription pid process target process PID 1856 wrote to memory of 2356 1856 a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe Java.exe PID 1856 wrote to memory of 2356 1856 a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe Java.exe PID 1856 wrote to memory of 2356 1856 a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe Java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe"C:\Users\Admin\AppData\Local\Temp\a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Java.exe"C:\ProgramData\Java.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Java.exeFilesize
29KB
MD53490a3125771a2ddd8d9d633be4201b0
SHA1134db4d28672703ca6670b3f8d8823b1b1f877fe
SHA256a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8
SHA51296ecf261d86f97cc0b091cc01ff109ece03bbbbbf20cdf00fb50b6f1024ffc966602bf20b1ada0f802c616c0797276e5afbfe0e6a488391d787e10a0fa15f0d2
-
C:\ProgramData\Java.exeFilesize
29KB
MD53490a3125771a2ddd8d9d633be4201b0
SHA1134db4d28672703ca6670b3f8d8823b1b1f877fe
SHA256a5e656cedb3fe0dfc90d3840add5669385e8d60347a9a47ca697beb4c6b871d8
SHA51296ecf261d86f97cc0b091cc01ff109ece03bbbbbf20cdf00fb50b6f1024ffc966602bf20b1ada0f802c616c0797276e5afbfe0e6a488391d787e10a0fa15f0d2
-
memory/1856-132-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/1856-133-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/1856-139-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/2356-134-0x0000000000000000-mapping.dmp
-
memory/2356-137-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB
-
memory/2356-138-0x0000000074710000-0x0000000074CC1000-memory.dmpFilesize
5.7MB