Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 11:31
Behavioral task
behavioral1
Sample
c0dbbc6e77a3b9cdad5563e7c814e053.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c0dbbc6e77a3b9cdad5563e7c814e053.exe
Resource
win10v2004-20221111-en
General
-
Target
c0dbbc6e77a3b9cdad5563e7c814e053.exe
-
Size
37KB
-
MD5
c0dbbc6e77a3b9cdad5563e7c814e053
-
SHA1
c814d27d1c1e7963c7d3ba533025918d70fc1ef2
-
SHA256
62723ed12c72ceb21bc77c63811f58ab082b36bd8487531d8b52e4de5030c7f1
-
SHA512
7f6bd0194165cc713a35139f1a342fe3150d0b53996985d8cb487b1c1cd9ea352d2d21941bd9f26920f73953185d814c9c95e976b82ccd1cd66fb50e6258364a
-
SSDEEP
384:OA0GK3hUidkcXR21cGMy8P4E5fXUFl6M0lrAF+rMRTyN/0L+EcoinblneHQM3ep:R0GK3rLGv8P4E58qMorM+rMRa8Nunmt
Malware Config
Extracted
njrat
im523
HacKed
104.22.32.240:443
a1d3fe53d6645a42400095b4adec79f5
-
reg_key
a1d3fe53d6645a42400095b4adec79f5
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1584 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c0dbbc6e77a3b9cdad5563e7c814e053.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation c0dbbc6e77a3b9cdad5563e7c814e053.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1d3fe53d6645a42400095b4adec79f5.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1d3fe53d6645a42400095b4adec79f5.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1d3fe53d6645a42400095b4adec79f5 = "\"C:\\Windows\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a1d3fe53d6645a42400095b4adec79f5 = "\"C:\\Windows\\server.exe\" .." server.exe -
Drops file in Windows directory 3 IoCs
Processes:
c0dbbc6e77a3b9cdad5563e7c814e053.exeserver.exedescription ioc process File created C:\Windows\server.exe c0dbbc6e77a3b9cdad5563e7c814e053.exe File opened for modification C:\Windows\server.exe c0dbbc6e77a3b9cdad5563e7c814e053.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4724 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe 1584 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1584 server.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
server.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1584 server.exe Token: SeDebugPrivilege 4724 taskkill.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe Token: 33 1584 server.exe Token: SeIncBasePriorityPrivilege 1584 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c0dbbc6e77a3b9cdad5563e7c814e053.exeserver.exedescription pid process target process PID 4160 wrote to memory of 1584 4160 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 4160 wrote to memory of 1584 4160 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 4160 wrote to memory of 1584 4160 c0dbbc6e77a3b9cdad5563e7c814e053.exe server.exe PID 1584 wrote to memory of 3868 1584 server.exe netsh.exe PID 1584 wrote to memory of 3868 1584 server.exe netsh.exe PID 1584 wrote to memory of 3868 1584 server.exe netsh.exe PID 1584 wrote to memory of 4724 1584 server.exe taskkill.exe PID 1584 wrote to memory of 4724 1584 server.exe taskkill.exe PID 1584 wrote to memory of 4724 1584 server.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0dbbc6e77a3b9cdad5563e7c814e053.exe"C:\Users\Admin\AppData\Local\Temp\c0dbbc6e77a3b9cdad5563e7c814e053.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\server.exeFilesize
37KB
MD5c0dbbc6e77a3b9cdad5563e7c814e053
SHA1c814d27d1c1e7963c7d3ba533025918d70fc1ef2
SHA25662723ed12c72ceb21bc77c63811f58ab082b36bd8487531d8b52e4de5030c7f1
SHA5127f6bd0194165cc713a35139f1a342fe3150d0b53996985d8cb487b1c1cd9ea352d2d21941bd9f26920f73953185d814c9c95e976b82ccd1cd66fb50e6258364a
-
C:\Windows\server.exeFilesize
37KB
MD5c0dbbc6e77a3b9cdad5563e7c814e053
SHA1c814d27d1c1e7963c7d3ba533025918d70fc1ef2
SHA25662723ed12c72ceb21bc77c63811f58ab082b36bd8487531d8b52e4de5030c7f1
SHA5127f6bd0194165cc713a35139f1a342fe3150d0b53996985d8cb487b1c1cd9ea352d2d21941bd9f26920f73953185d814c9c95e976b82ccd1cd66fb50e6258364a
-
memory/1584-133-0x0000000000000000-mapping.dmp
-
memory/1584-137-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1584-140-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/3868-138-0x0000000000000000-mapping.dmp
-
memory/4160-132-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4160-136-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4724-139-0x0000000000000000-mapping.dmp