Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 01:32
Behavioral task
behavioral1
Sample
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe
Resource
win10v2004-20221111-en
General
-
Target
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe
-
Size
40KB
-
MD5
54804479a9d505013067bc3fa5de1d98
-
SHA1
99d0ae239cb09cc78c996d6db6a01ef37bca2866
-
SHA256
47ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
-
SHA512
d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
SSDEEP
384:8Pwz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZfB:8ETbC81NgRpcnu+
Malware Config
Extracted
njrat
0.7d
HacKed
gololosd.ddns.net:9090
151fd47f794ef2318b946b794bcd6603
-
reg_key
151fd47f794ef2318b946b794bcd6603
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe -
Drops startup file 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\151fd47f794ef2318b946b794bcd6603.exe taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\151fd47f794ef2318b946b794bcd6603.exe taskmgr.exe -
Executes dropped EXE 1 IoCs
Processes:
taskmgr.exepid process 1032 taskmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskmgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\151fd47f794ef2318b946b794bcd6603 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe\" .." taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\151fd47f794ef2318b946b794bcd6603 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe\" .." taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe Token: 33 1032 taskmgr.exe Token: SeIncBasePriorityPrivilege 1032 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1244-56-0x00000000003E0000-0x00000000003EA000-memory.exetaskmgr.exedescription pid process target process PID 4032 wrote to memory of 1032 4032 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 4032 wrote to memory of 1032 4032 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 4032 wrote to memory of 1032 4032 1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe taskmgr.exe PID 1032 wrote to memory of 1572 1032 taskmgr.exe netsh.exe PID 1032 wrote to memory of 1572 1032 taskmgr.exe netsh.exe PID 1032 wrote to memory of 1572 1032 taskmgr.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1244-56-0x00000000003E0000-0x00000000003EA000-memory.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskmgr.exe" "taskmgr.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
40KB
MD554804479a9d505013067bc3fa5de1d98
SHA199d0ae239cb09cc78c996d6db6a01ef37bca2866
SHA25647ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
SHA512d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
40KB
MD554804479a9d505013067bc3fa5de1d98
SHA199d0ae239cb09cc78c996d6db6a01ef37bca2866
SHA25647ef8a83ff586e9eb82f68c7095b8d1470cdea4ed03c7eeb102508cbfe4f06f1
SHA512d6152f8f7eb197d36bac30f06a566dedfbbd1364bb4e82fcaded058ea4cd376f469fed18a53c8df55e222298768e17cc6734a93e07cd3ed420c615f2d607f3ff
-
memory/1032-133-0x0000000000000000-mapping.dmp
-
memory/1032-137-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/1032-139-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/1572-138-0x0000000000000000-mapping.dmp
-
memory/4032-132-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/4032-136-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB