Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 08:41
Behavioral task
behavioral1
Sample
abef5960fcda8c82d1fdbb291e7a9012.exe
Resource
win7-20221111-en
General
-
Target
abef5960fcda8c82d1fdbb291e7a9012.exe
-
Size
472KB
-
MD5
abef5960fcda8c82d1fdbb291e7a9012
-
SHA1
84e03cd48d7fec40753fc1226c88013f39bedcc0
-
SHA256
2ab90c3a95b4caa67473c8ac945ce0b69ae3b7d5778bd431214900812ab6fb3f
-
SHA512
10a92617477010bfb1550fdecc7f8dbd16b7debd6916b9c683e24931960f5aef1434f5346d1341c5bd77599267eee259e9f047565df32dc55a4be71302a5e515
-
SSDEEP
12288:u/N73EBM32LTQ9/hFou9SoUEZkmNlYX07i:u/N463oKrou/vZkmv3
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
HacK
0.tcp.in.ngrok.io:11408
f98d9d08ffb40400218be2d9b125d7d3
-
reg_key
f98d9d08ffb40400218be2d9b125d7d3
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalStaFvjUblU.exehoodies.exepid process 4640 LocalStaFvjUblU.exe 2104 hoodies.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
abef5960fcda8c82d1fdbb291e7a9012.exeLocalStaFvjUblU.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation abef5960fcda8c82d1fdbb291e7a9012.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation LocalStaFvjUblU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LocalStaFvjUblU.exepid process 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe 4640 LocalStaFvjUblU.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
LocalStaFvjUblU.exehoodies.exedescription pid process Token: SeDebugPrivilege 4640 LocalStaFvjUblU.exe Token: SeDebugPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe Token: 33 2104 hoodies.exe Token: SeIncBasePriorityPrivilege 2104 hoodies.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
abef5960fcda8c82d1fdbb291e7a9012.exeLocalStaFvjUblU.exedescription pid process target process PID 1096 wrote to memory of 4640 1096 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 1096 wrote to memory of 4640 1096 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 1096 wrote to memory of 4640 1096 abef5960fcda8c82d1fdbb291e7a9012.exe LocalStaFvjUblU.exe PID 4640 wrote to memory of 2104 4640 LocalStaFvjUblU.exe hoodies.exe PID 4640 wrote to memory of 2104 4640 LocalStaFvjUblU.exe hoodies.exe PID 4640 wrote to memory of 2104 4640 LocalStaFvjUblU.exe hoodies.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abef5960fcda8c82d1fdbb291e7a9012.exe"C:\Users\Admin\AppData\Local\Temp\abef5960fcda8c82d1fdbb291e7a9012.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalStaFvjUblU.exe"C:\Users\Admin\AppData\LocalStaFvjUblU.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\hoodies.exe"C:\Users\Admin\hoodies.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalStaFvjUblU.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\AppData\LocalStaFvjUblU.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
memory/1096-132-0x00007FF8B2550000-0x00007FF8B2F86000-memory.dmpFilesize
10.2MB
-
memory/2104-137-0x0000000000000000-mapping.dmp
-
memory/2104-141-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2104-142-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4640-133-0x0000000000000000-mapping.dmp
-
memory/4640-136-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4640-140-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB