Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 20:32
Behavioral task
behavioral1
Sample
LocalStaFvjUblU.exe
Resource
win7-20221111-en
General
-
Target
LocalStaFvjUblU.exe
-
Size
55KB
-
MD5
4f8d0d9157298433bf22955d30462d72
-
SHA1
5fe06ac65da8bbc98689c496ccfe36eae898e698
-
SHA256
8ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
-
SHA512
b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
SSDEEP
1536:hUsoDnb4DNQ7SCCHDrwsNMDPXExI3pmZm:poDnEWOrHDrwsNMDPXExI3pm
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
HacK
0.tcp.in.ngrok.io:11408
f98d9d08ffb40400218be2d9b125d7d3
-
reg_key
f98d9d08ffb40400218be2d9b125d7d3
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hoodies.exepid process 432 hoodies.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LocalStaFvjUblU.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation LocalStaFvjUblU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LocalStaFvjUblU.exepid process 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe 3960 LocalStaFvjUblU.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
LocalStaFvjUblU.exehoodies.exedescription pid process Token: SeDebugPrivilege 3960 LocalStaFvjUblU.exe Token: SeDebugPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe Token: 33 432 hoodies.exe Token: SeIncBasePriorityPrivilege 432 hoodies.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
LocalStaFvjUblU.exedescription pid process target process PID 3960 wrote to memory of 432 3960 LocalStaFvjUblU.exe hoodies.exe PID 3960 wrote to memory of 432 3960 LocalStaFvjUblU.exe hoodies.exe PID 3960 wrote to memory of 432 3960 LocalStaFvjUblU.exe hoodies.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LocalStaFvjUblU.exe"C:\Users\Admin\AppData\Local\Temp\LocalStaFvjUblU.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\hoodies.exe"C:\Users\Admin\hoodies.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
C:\Users\Admin\hoodies.exeFilesize
55KB
MD54f8d0d9157298433bf22955d30462d72
SHA15fe06ac65da8bbc98689c496ccfe36eae898e698
SHA2568ac73cedb35abeb387e8ae77f418305d3e389a84756488c84338b58721edf373
SHA512b0c9bba9f32b25287a7f8d2339b8556bb354dc177eb4cec79e4563e3b73d499bfba378677e115b0bc290eec55f1899e8d7d2a9457100f4d3b80d594fa9c936ac
-
memory/432-133-0x0000000000000000-mapping.dmp
-
memory/432-137-0x0000000075190000-0x0000000075741000-memory.dmpFilesize
5.7MB
-
memory/432-138-0x0000000075190000-0x0000000075741000-memory.dmpFilesize
5.7MB
-
memory/3960-132-0x0000000075190000-0x0000000075741000-memory.dmpFilesize
5.7MB
-
memory/3960-136-0x0000000075190000-0x0000000075741000-memory.dmpFilesize
5.7MB