Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 03:34
Behavioral task
behavioral1
Sample
wearaawr.exe
Resource
win7-20230220-en
General
-
Target
wearaawr.exe
-
Size
93KB
-
MD5
63f06efdbe1f93b7a2688a0baf2256d4
-
SHA1
91d9cc6369d885534cfa7eea162964bc06c00b2b
-
SHA256
7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
-
SHA512
a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
SSDEEP
1536:CIaw0gMX6BbNrnYjS7JjEwzGi1dDxDbgS:CIwX6BbNraS7Gi1d1U
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOTI3LjAuFRANSESCOC4x:MzE0OQ==
1e837d763a164123719a02065b1e7b81
-
reg_key
1e837d763a164123719a02065b1e7b81
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2980 netsh.exe 4656 netsh.exe 212 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wearaawr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation wearaawr.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e837d763a164123719a02065b1e7b81Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e837d763a164123719a02065b1e7b81Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4952 server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 4952 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe Token: 33 4952 server.exe Token: SeIncBasePriorityPrivilege 4952 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wearaawr.exeserver.exedescription pid process target process PID 1316 wrote to memory of 4952 1316 wearaawr.exe server.exe PID 1316 wrote to memory of 4952 1316 wearaawr.exe server.exe PID 1316 wrote to memory of 4952 1316 wearaawr.exe server.exe PID 4952 wrote to memory of 212 4952 server.exe netsh.exe PID 4952 wrote to memory of 212 4952 server.exe netsh.exe PID 4952 wrote to memory of 212 4952 server.exe netsh.exe PID 4952 wrote to memory of 2980 4952 server.exe netsh.exe PID 4952 wrote to memory of 2980 4952 server.exe netsh.exe PID 4952 wrote to memory of 2980 4952 server.exe netsh.exe PID 4952 wrote to memory of 4656 4952 server.exe netsh.exe PID 4952 wrote to memory of 4656 4952 server.exe netsh.exe PID 4952 wrote to memory of 4656 4952 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wearaawr.exe"C:\Users\Admin\AppData\Local\Temp\wearaawr.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5112317d572ce0538d2d1b20d7f32170e
SHA1c7f3714c4806b907bcff7f79aa1d1c9373b77d1e
SHA256fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9
SHA512265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD563f06efdbe1f93b7a2688a0baf2256d4
SHA191d9cc6369d885534cfa7eea162964bc06c00b2b
SHA2567caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
-
memory/1316-134-0x0000000001470000-0x0000000001480000-memory.dmpFilesize
64KB
-
memory/4952-146-0x0000000001540000-0x0000000001550000-memory.dmpFilesize
64KB
-
memory/4952-152-0x0000000001540000-0x0000000001550000-memory.dmpFilesize
64KB