Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 13:57
Behavioral task
behavioral1
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
706fd9eb22adac23c973248375c50a02.exe
Resource
win10v2004-20230220-en
General
-
Target
706fd9eb22adac23c973248375c50a02.exe
-
Size
27KB
-
MD5
706fd9eb22adac23c973248375c50a02
-
SHA1
a2eb4719961cebca7a1e0ede2397c7e11e91a068
-
SHA256
3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
-
SHA512
1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
SSDEEP
384:hLOlYHHeIYTzJRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhca66Zr6s:B2ZxJm8VA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
bob541882.e2.luyouxia.net:20192
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
706fd9eb22adac23c973248375c50a02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 706fd9eb22adac23c973248375c50a02.exe -
Drops startup file 4 IoCs
Processes:
360.exe706fd9eb22adac23c973248375c50a02.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe 360.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 706fd9eb22adac23c973248375c50a02.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 360.exe -
Executes dropped EXE 1 IoCs
Processes:
360.exepid process 3580 360.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exe360.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\360.exe" 706fd9eb22adac23c973248375c50a02.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 360.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
360.exedescription pid process Token: SeDebugPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe Token: 33 3580 360.exe Token: SeIncBasePriorityPrivilege 3580 360.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
706fd9eb22adac23c973248375c50a02.exedescription pid process target process PID 632 wrote to memory of 3580 632 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 632 wrote to memory of 3580 632 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 632 wrote to memory of 3580 632 706fd9eb22adac23c973248375c50a02.exe 360.exe PID 632 wrote to memory of 1872 632 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 632 wrote to memory of 1872 632 706fd9eb22adac23c973248375c50a02.exe attrib.exe PID 632 wrote to memory of 1872 632 706fd9eb22adac23c973248375c50a02.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\360.exe"C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\360.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\360.exeFilesize
27KB
MD5706fd9eb22adac23c973248375c50a02
SHA1a2eb4719961cebca7a1e0ede2397c7e11e91a068
SHA2563d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f
SHA5121e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD578ae7480e93fe3c32ae353941737dbaa
SHA10735d4addb35f31cd4b17b83d3c97c4242542fa5
SHA256f2991de24991c95528f1fe370b4c4ab9feda7cb7f715dd53199524d343983e80
SHA512f8824bfe2648c9b30a582b0ae15b909b971ca908a34f1f4d1377bb2c472c15b691b2ed9e44b5f173097e0c049447602a2bef1f121d636da8b02e0d2370dd8aa8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD55874d9f697c098614594ee1e941a9cf6
SHA1dde965d64e459034618d501656cd95d6cc826d8e
SHA2565ef31f2c5ef281421a392392c28fd08d9f5039d38b4183b905ac14ff421b7f86
SHA5122e769f9b9f6a310efe10f2708521372b0783c0504b247b0da448c4e86c7e809a30aa614d9270b34a4c889f0fcf429e4eabe973e61b9b0987258b15127af9a719
-
memory/632-133-0x0000000000EF0000-0x0000000000F00000-memory.dmpFilesize
64KB
-
memory/3580-145-0x0000000001170000-0x0000000001180000-memory.dmpFilesize
64KB
-
memory/3580-151-0x0000000001170000-0x0000000001180000-memory.dmpFilesize
64KB