Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 13:56
Behavioral task
behavioral1
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win10v2004-20230220-en
General
-
Target
706fd9eb22adac23c973248375c50a02.exe
-
Size
27KB
-
MD5
706fd9eb22adac23c973248375c50a02
-
SHA1
a2eb4719961cebca7a1e0ede2397c7e11e91a068
-
SHA256
3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
-
SHA512
1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
SSDEEP
384:hLOlYHHeIYTzJRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhca66Zr6s:B2ZxJm8VA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
bob541882.e2.luyouxia.net:20192
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
706fd9eb22adac23c973248375c50a02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 706fd9eb22adac23c973248375c50a02.exe -
Drops startup file 4 IoCs
Processes:
360.exe706fd9eb22adac23c973248375c50a02.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 706fd9eb22adac23c973248375c50a02.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 360.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe -
Executes dropped EXE 1 IoCs
Processes:
360.exepid process 4288 360.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
360.exe706fd9eb22adac23c973248375c50a02.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\360.exe" 706fd9eb22adac23c973248375c50a02.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
360.exedescription pid process Token: SeDebugPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe Token: 33 4288 360.exe Token: SeIncBasePriorityPrivilege 4288 360.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exedescription pid process target process PID 4236 wrote to memory of 4288 4236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 4236 wrote to memory of 4288 4236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 4236 wrote to memory of 4288 4236 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 4236 wrote to memory of 3828 4236 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 4236 wrote to memory of 3828 4236 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 4236 wrote to memory of 3828 4236 706fd9eb22adac23c973248375c50a02.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\360.exe"C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5937e7212c4aaf0d9a98c864adeeef338
SHA175fd9e534c45349f34e19003c31eafe22e540ad1
SHA256c24bb82e26e3dcc2045191f22cb85e2a39a3bd6be1d94f4f7610bf7867515a5e
SHA5129927fed448c0086a8da687c57af1da761584b36f6f60098b0d4fdafed3aa79893c43fd6acb3346fe6e738e34e0373fe0b6daf27544b68e3e3938f698967817d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD53eb88dfe6738d549be5f2909247345c9
SHA16e11c4462eaf06430a621be1ef4461f3a77b7e1b
SHA2563d5c5af4c3ca467fd426d9d2deb0897fcea8a733d0034d97212fbc8644676525
SHA51256d28d19005166106548e024107516818270ee9d9a94ca55004bca3851d88b56082f72db72170ca1e215a106e4476157006652d755f0af3c98653aef76190756
-
memory/4236-133-0x0000000001750000-0x0000000001760000-memory.dmpFilesize
64KB
-
memory/4236-141-0x0000000001750000-0x0000000001760000-memory.dmpFilesize
64KB
-
memory/4288-150-0x0000000000710000-0x0000000000720000-memory.dmpFilesize
64KB
-
memory/4288-152-0x0000000000710000-0x0000000000720000-memory.dmpFilesize
64KB