Analysis
-
max time kernel
52s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 18:05
General
-
Target
Server.exe
-
Size
37KB
-
MD5
77a061d54196511fb985ad08f61b4681
-
SHA1
e783b16bf42144aac4acf441fce87415e0dca275
-
SHA256
02175550330b76de111ae886a542242298c5b50b26f5d49a520fbe1481e52aab
-
SHA512
0292ebd71c561c6ad5ed841ba63e85b4606fd8c612eeb6d925a4e66933da19b3241569c3ce21b6451cf7eced02b0dea8e6893b2511ed041fdaf141052d9c3086
-
SSDEEP
384:calayyaik9hkdTnNiybYT81PRsc4jWj7rAF+rMRTyN/0L+EcoinblneHQM3epzX6:NgyCxNxbYT81y1WHrM+rMRa8Nu4Bt
Malware Config
Extracted
njrat
im523
HacKed
considered-arrest.at.ply.gg:19159
8b1b4ed3028d60637b47ebe2ea5ce8d7
-
reg_key
8b1b4ed3028d60637b47ebe2ea5ce8d7
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exeRuntime Broker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Runtime Broker.exe -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1444 Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Runtime Broker.exedescription pid process Token: SeDebugPrivilege 1444 Runtime Broker.exe Token: 33 1444 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1444 Runtime Broker.exe Token: 33 1444 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1444 Runtime Broker.exe Token: 33 1444 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1444 Runtime Broker.exe Token: 33 1444 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1444 Runtime Broker.exe Token: 33 1444 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1444 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Server.exeRuntime Broker.execmd.exedescription pid process target process PID 5016 wrote to memory of 1444 5016 Server.exe Runtime Broker.exe PID 5016 wrote to memory of 1444 5016 Server.exe Runtime Broker.exe PID 5016 wrote to memory of 1444 5016 Server.exe Runtime Broker.exe PID 1444 wrote to memory of 752 1444 Runtime Broker.exe netsh.exe PID 1444 wrote to memory of 752 1444 Runtime Broker.exe netsh.exe PID 1444 wrote to memory of 752 1444 Runtime Broker.exe netsh.exe PID 1444 wrote to memory of 4888 1444 Runtime Broker.exe cmd.exe PID 1444 wrote to memory of 4888 1444 Runtime Broker.exe cmd.exe PID 1444 wrote to memory of 4888 1444 Runtime Broker.exe cmd.exe PID 4888 wrote to memory of 5104 4888 cmd.exe reg.exe PID 4888 wrote to memory of 5104 4888 cmd.exe reg.exe PID 4888 wrote to memory of 5104 4888 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" "Runtime Broker.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp908.tmp.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp908.tmp.batFilesize
109B
MD5c8e1c290640046814ab4e6fd65eb372b
SHA1ca18c9fb819873e0f60b978708bc50a47f81a0ae
SHA256cb7f932b08cebf30383abbf8fdd4b2c47cbeb31f4876827bc24b0e0b4acdea53
SHA51212a2f980af8b1a1c65f05d05dd8129281f1135d143cf0ab904a7ab09775532aafa48f9ed395de134c3fb4a621dee71ccf709af931806609905ecc2e51ec4d994
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
37KB
MD577a061d54196511fb985ad08f61b4681
SHA1e783b16bf42144aac4acf441fce87415e0dca275
SHA25602175550330b76de111ae886a542242298c5b50b26f5d49a520fbe1481e52aab
SHA5120292ebd71c561c6ad5ed841ba63e85b4606fd8c612eeb6d925a4e66933da19b3241569c3ce21b6451cf7eced02b0dea8e6893b2511ed041fdaf141052d9c3086
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
37KB
MD577a061d54196511fb985ad08f61b4681
SHA1e783b16bf42144aac4acf441fce87415e0dca275
SHA25602175550330b76de111ae886a542242298c5b50b26f5d49a520fbe1481e52aab
SHA5120292ebd71c561c6ad5ed841ba63e85b4606fd8c612eeb6d925a4e66933da19b3241569c3ce21b6451cf7eced02b0dea8e6893b2511ed041fdaf141052d9c3086
-
memory/752-138-0x0000000000000000-mapping.dmp
-
memory/1444-133-0x0000000000000000-mapping.dmp
-
memory/1444-137-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1444-139-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4888-140-0x0000000000000000-mapping.dmp
-
memory/5016-132-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/5016-136-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/5104-142-0x0000000000000000-mapping.dmp