Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 01:00
Behavioral task
behavioral1
Sample
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe
Resource
win7-20230220-en
General
-
Target
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe
-
Size
93KB
-
MD5
123acf74540b652a549c5d664b627663
-
SHA1
57a8230ac3fa6fe42a563c3355aa0512f4939098
-
SHA256
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
-
SHA512
95a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
SSDEEP
768:rY30UBnkpjTMpALPGMtsas88EtNXhe9Y1mxCXxrjEtCdnl2pi1Rz4Rk3asGdpxgM:lURkVbPGHz88EbB1pjEwzGi1dDWDxgS
Malware Config
Extracted
njrat
0.7d
HacKed
YXJ0LW5vdmVsdHkuYXQucGx5Lmdn:MjU1NjU=
8a45c8c850efba42d799d8b1b94ad051
-
reg_key
8a45c8c850efba42d799d8b1b94ad051
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1432 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe 1432 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1432 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe Token: 33 1432 server.exe Token: SeIncBasePriorityPrivilege 1432 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exeserver.exedescription pid process target process PID 2756 wrote to memory of 1432 2756 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 2756 wrote to memory of 1432 2756 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 2756 wrote to memory of 1432 2756 a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe server.exe PID 1432 wrote to memory of 2212 1432 server.exe netsh.exe PID 1432 wrote to memory of 2212 1432 server.exe netsh.exe PID 1432 wrote to memory of 2212 1432 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe"C:\Users\Admin\AppData\Local\Temp\a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5f478c76bbb3174dbc7fabae62224f818
SHA1bed239508bad9fcd15a9bdea1e132f62468d07d1
SHA256d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a
SHA512b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD5123acf74540b652a549c5d664b627663
SHA157a8230ac3fa6fe42a563c3355aa0512f4939098
SHA256a7a1f3e3bfc8abc1006276f3cb3bdaa1ff697b9fde421d6d2a181165db11377e
SHA51295a94265a64087fe37e22d47a8f11499a036f9f8d949d83f86ac1af02267c83765c5bdc1ab53cb4ee9ed7db41bda854b2ee9931611a82e911e0b5317a44d1c19
-
memory/1432-146-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/1432-147-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/2756-133-0x0000000001AE0000-0x0000000001AF0000-memory.dmpFilesize
64KB