Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 20:38
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20230220-en
General
-
Target
sample.exe
-
Size
4.6MB
-
MD5
7e8ba9fb61fa408145919b871075e1c9
-
SHA1
d166c427649f37085719c0591fb0b8da077dc0db
-
SHA256
3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
-
SHA512
3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
-
SSDEEP
49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8
Malware Config
Extracted
njrat
v2.0
HacKed
vesperiskindagoated.hopto.org:5552
WSecurityKey
-
reg_key
WSecurityKey
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sample.exepaylod.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation sample.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation paylod.exe -
Drops startup file 5 IoCs
Processes:
paylod.exePayload.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk paylod.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe attrib.exe -
Executes dropped EXE 3 IoCs
Processes:
paylod.exeMercurial.exePayload.exepid process 5092 paylod.exe 1068 Mercurial.exe 4672 Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Payload.exepaylod.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" paylod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4736 1068 WerFault.exe Mercurial.exe 432 1068 WerFault.exe Mercurial.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Mercurial.exepid process 1068 Mercurial.exe 1068 Mercurial.exe 1068 Mercurial.exe 1068 Mercurial.exe 1068 Mercurial.exe 1068 Mercurial.exe 1068 Mercurial.exe 1068 Mercurial.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
Mercurial.exePayload.exedescription pid process Token: SeDebugPrivilege 1068 Mercurial.exe Token: SeDebugPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe Token: 33 4672 Payload.exe Token: SeIncBasePriorityPrivilege 4672 Payload.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
sample.exepaylod.exePayload.exedescription pid process target process PID 860 wrote to memory of 5092 860 sample.exe paylod.exe PID 860 wrote to memory of 5092 860 sample.exe paylod.exe PID 860 wrote to memory of 5092 860 sample.exe paylod.exe PID 860 wrote to memory of 1068 860 sample.exe Mercurial.exe PID 860 wrote to memory of 1068 860 sample.exe Mercurial.exe PID 860 wrote to memory of 1068 860 sample.exe Mercurial.exe PID 5092 wrote to memory of 4672 5092 paylod.exe Payload.exe PID 5092 wrote to memory of 4672 5092 paylod.exe Payload.exe PID 5092 wrote to memory of 4672 5092 paylod.exe Payload.exe PID 5092 wrote to memory of 4576 5092 paylod.exe attrib.exe PID 5092 wrote to memory of 4576 5092 paylod.exe attrib.exe PID 5092 wrote to memory of 4576 5092 paylod.exe attrib.exe PID 4672 wrote to memory of 3368 4672 Payload.exe attrib.exe PID 4672 wrote to memory of 3368 4672 Payload.exe attrib.exe PID 4672 wrote to memory of 3368 4672 Payload.exe attrib.exe PID 4672 wrote to memory of 4656 4672 Payload.exe attrib.exe PID 4672 wrote to memory of 4656 4672 Payload.exe attrib.exe PID 4672 wrote to memory of 4656 4672 Payload.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4576 attrib.exe 3368 attrib.exe 4656 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paylod.exe"C:\Users\Admin\AppData\Local\Temp\paylod.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe"4⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.exe"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 14603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 10323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1068 -ip 10681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1068 -ip 10681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exeFilesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exeFilesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exeFilesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnkFilesize
1KB
MD58809ae2412051fe62a4fb78b7e9ebd12
SHA1b902da0b84a272bdff0ace433956d67387d35c6f
SHA2567942be59109e850ef509c00cb9085d471c94c7c89db678874af1e403b9e1315b
SHA51225c1497cb412a3d57c1a70c7669469e28a4c87cf26f66c44da9bcd9b32c62b16dddc01fa8bc4b2f17c599d86c027f896cfd19707f4e223dc2f13d035cf3abb53
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.lnkFilesize
1KB
MD513304b0834aa1b075ee085038425465e
SHA137801e4502478e8305ced7e303d6dfdaa25168ce
SHA256d39c5cc2740ee7db8736545a800cccfc57787c80b75b3e916eb6cb0efad3b4b7
SHA512d51adf11a8222989aec62d78aca1ba5bd08fc8ebcd2a1ef44af47220e0ebceee5289acbb1abf4f4cafa27048b1a9ed32d5906ec0bd7775fac4e29c39cc299f07
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
26KB
MD543bcd1fc21d211f63d3bc96d870a3a81
SHA1edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40
SHA256fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd
SHA5124dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942
-
memory/860-133-0x0000000000FB0000-0x0000000000FC0000-memory.dmpFilesize
64KB
-
memory/1068-159-0x0000000005850000-0x00000000058E2000-memory.dmpFilesize
584KB
-
memory/1068-185-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-163-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-164-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-165-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-166-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-161-0x0000000005900000-0x000000000590A000-memory.dmpFilesize
40KB
-
memory/1068-160-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-158-0x0000000005EE0000-0x0000000006484000-memory.dmpFilesize
5.6MB
-
memory/1068-201-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-180-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-200-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-182-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-183-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-184-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-162-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-186-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-156-0x0000000000B70000-0x0000000000EAA000-memory.dmpFilesize
3.2MB
-
memory/1068-189-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-190-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1068-199-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-192-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-193-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-194-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-195-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-196-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-197-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/1068-198-0x000000000BFC0000-0x000000000C0C0000-memory.dmpFilesize
1024KB
-
memory/4672-191-0x0000000001950000-0x0000000001960000-memory.dmpFilesize
64KB
-
memory/4672-181-0x0000000001950000-0x0000000001960000-memory.dmpFilesize
64KB
-
memory/5092-157-0x0000000000D80000-0x0000000000D90000-memory.dmpFilesize
64KB