Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 22:55
Behavioral task
behavioral1
Sample
Payload2023.exe
Resource
win10v2004-20230220-en
General
-
Target
Payload2023.exe
-
Size
27KB
-
MD5
b85cd29095492a2688686bb14c50cb2d
-
SHA1
4cd161ec7545478f87a405e09b6691cc6c4aa86a
-
SHA256
92c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae
-
SHA512
8544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a
-
SSDEEP
384:TLIl2J1dJFKnO4YLJ5zeZsL4E7O4/ChZGPjdx4kM0AQk93vmhm7UMKmIEecKdbXs:3VJFPleeHU0A/vMHTi9bD
Malware Config
Extracted
njrat
v4.0
HacKed
soon-lp.at.ply.gg:17209
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payload2023.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation Payload2023.exe -
Drops startup file 2 IoCs
Processes:
Payload.exePayload2023.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload2023.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 4420 Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Payload2023.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" Payload2023.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 4420 Payload.exe Token: 33 4420 Payload.exe Token: SeIncBasePriorityPrivilege 4420 Payload.exe Token: 33 4420 Payload.exe Token: SeIncBasePriorityPrivilege 4420 Payload.exe Token: 33 4420 Payload.exe Token: SeIncBasePriorityPrivilege 4420 Payload.exe Token: 33 4420 Payload.exe Token: SeIncBasePriorityPrivilege 4420 Payload.exe Token: 33 4420 Payload.exe Token: SeIncBasePriorityPrivilege 4420 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Payload2023.exedescription pid process target process PID 4740 wrote to memory of 4420 4740 Payload2023.exe Payload.exe PID 4740 wrote to memory of 4420 4740 Payload2023.exe Payload.exe PID 4740 wrote to memory of 4420 4740 Payload2023.exe Payload.exe PID 4740 wrote to memory of 1884 4740 Payload2023.exe attrib.exe PID 4740 wrote to memory of 1884 4740 Payload2023.exe attrib.exe PID 4740 wrote to memory of 1884 4740 Payload2023.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload2023.exe"C:\Users\Admin\AppData\Local\Temp\Payload2023.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD55046027d76193c47eda704613363b0eb
SHA128c68cb8c0f41137f06c21de64edb17dfe932f66
SHA25682c84773cea056f85ac4c36f99174a9f27d19cc1ff8cd01bd64b5c062a7a7150
SHA512d996df4461ee3039b1344881fb606fb6f257f5b60b7d0c5917564ffc4dc80c0747f022195a12beb442d8da77aed44ec3c4e2016b7d8a791c821b0350c1d7c918
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5c2029e31e25647730597ac950c8d6ae5
SHA102a4822c6621db10757690b91b31e489f372d462
SHA25600cb0e919469efaf29695f0acac304bffc05b269c957f9baefb8e5dbddafef92
SHA51210a57bd1f36a1c2d3e39a374f13e4e3ad26df448f24f5d1248e8bab267b8cb797fc03862e67fcfbcae5916b775b73be127b0e23cd8baeca3eb5850a9e7cc3121
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD5b85cd29095492a2688686bb14c50cb2d
SHA14cd161ec7545478f87a405e09b6691cc6c4aa86a
SHA25692c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae
SHA5128544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD5b85cd29095492a2688686bb14c50cb2d
SHA14cd161ec7545478f87a405e09b6691cc6c4aa86a
SHA25692c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae
SHA5128544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
27KB
MD5b85cd29095492a2688686bb14c50cb2d
SHA14cd161ec7545478f87a405e09b6691cc6c4aa86a
SHA25692c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae
SHA5128544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a
-
memory/4420-151-0x0000000005CA0000-0x0000000005CB0000-memory.dmpFilesize
64KB
-
memory/4420-152-0x0000000005D50000-0x0000000005DE2000-memory.dmpFilesize
584KB
-
memory/4420-153-0x0000000005D30000-0x0000000005D3A000-memory.dmpFilesize
40KB
-
memory/4420-154-0x0000000005F50000-0x0000000005FB6000-memory.dmpFilesize
408KB
-
memory/4420-155-0x0000000005CA0000-0x0000000005CB0000-memory.dmpFilesize
64KB
-
memory/4740-133-0x0000000000760000-0x000000000076E000-memory.dmpFilesize
56KB
-
memory/4740-137-0x0000000005EB0000-0x0000000006454000-memory.dmpFilesize
5.6MB
-
memory/4740-134-0x00000000050C0000-0x000000000515C000-memory.dmpFilesize
624KB