Analysis
-
max time kernel
210s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 16:51
Behavioral task
behavioral1
Sample
0e503cb95361e59b9df503d31a2e8802.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0e503cb95361e59b9df503d31a2e8802.exe
Resource
win10v2004-20230220-en
General
-
Target
0e503cb95361e59b9df503d31a2e8802.exe
-
Size
26KB
-
MD5
0e503cb95361e59b9df503d31a2e8802
-
SHA1
1250284990eeb2290e19b6492a40be1a9e720e54
-
SHA256
58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
-
SHA512
fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
SSDEEP
384:kLbe6lnw3m4Afp1UDMoCoP6udRNMpAQk93vmhm7UMKmIEecKdbXTzm9bVhcao631:ybeyBPqQpA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
study-silly.at.ply.gg:42876
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e503cb95361e59b9df503d31a2e8802.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 0e503cb95361e59b9df503d31a2e8802.exe -
Drops startup file 5 IoCs
Processes:
attrib.exe0e503cb95361e59b9df503d31a2e8802.exeLocalShell.batdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 0e503cb95361e59b9df503d31a2e8802.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk LocalShell.bat File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe LocalShell.bat File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe LocalShell.bat -
Executes dropped EXE 1 IoCs
Processes:
LocalShell.batpid process 5008 LocalShell.bat -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
LocalShell.bat0e503cb95361e59b9df503d31a2e8802.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\LocalShell.bat" 0e503cb95361e59b9df503d31a2e8802.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" LocalShell.bat -
Drops file in Windows directory 2 IoCs
Processes:
0e503cb95361e59b9df503d31a2e8802.exeattrib.exedescription ioc process File created C:\Windows\LocalShell.bat 0e503cb95361e59b9df503d31a2e8802.exe File opened for modification C:\Windows\LocalShell.bat attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
LocalShell.batdescription pid process Token: SeDebugPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat Token: 33 5008 LocalShell.bat Token: SeIncBasePriorityPrivilege 5008 LocalShell.bat -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e503cb95361e59b9df503d31a2e8802.exeLocalShell.batdescription pid process target process PID 1440 wrote to memory of 5008 1440 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1440 wrote to memory of 5008 1440 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1440 wrote to memory of 5008 1440 0e503cb95361e59b9df503d31a2e8802.exe LocalShell.bat PID 1440 wrote to memory of 4788 1440 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 1440 wrote to memory of 4788 1440 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 1440 wrote to memory of 4788 1440 0e503cb95361e59b9df503d31a2e8802.exe attrib.exe PID 5008 wrote to memory of 4712 5008 LocalShell.bat attrib.exe PID 5008 wrote to memory of 4712 5008 LocalShell.bat attrib.exe PID 5008 wrote to memory of 4712 5008 LocalShell.bat attrib.exe PID 5008 wrote to memory of 736 5008 LocalShell.bat attrib.exe PID 5008 wrote to memory of 736 5008 LocalShell.bat attrib.exe PID 5008 wrote to memory of 736 5008 LocalShell.bat attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4788 attrib.exe 4712 attrib.exe 736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe"C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\LocalShell.bat"C:\Windows\LocalShell.bat"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\LocalShell.bat"2⤵
- Drops file in Windows directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD55046027d76193c47eda704613363b0eb
SHA128c68cb8c0f41137f06c21de64edb17dfe932f66
SHA25682c84773cea056f85ac4c36f99174a9f27d19cc1ff8cd01bd64b5c062a7a7150
SHA512d996df4461ee3039b1344881fb606fb6f257f5b60b7d0c5917564ffc4dc80c0747f022195a12beb442d8da77aed44ec3c4e2016b7d8a791c821b0350c1d7c918
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5c2029e31e25647730597ac950c8d6ae5
SHA102a4822c6621db10757690b91b31e489f372d462
SHA25600cb0e919469efaf29695f0acac304bffc05b269c957f9baefb8e5dbddafef92
SHA51210a57bd1f36a1c2d3e39a374f13e4e3ad26df448f24f5d1248e8bab267b8cb797fc03862e67fcfbcae5916b775b73be127b0e23cd8baeca3eb5850a9e7cc3121
-
C:\Windows\LocalShell.batFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
C:\Windows\LocalShell.batFilesize
26KB
MD50e503cb95361e59b9df503d31a2e8802
SHA11250284990eeb2290e19b6492a40be1a9e720e54
SHA25658ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe
SHA512fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d
-
memory/1440-133-0x0000000001450000-0x0000000001460000-memory.dmpFilesize
64KB
-
memory/1440-134-0x0000000001450000-0x0000000001460000-memory.dmpFilesize
64KB
-
memory/5008-147-0x0000000001200000-0x0000000001210000-memory.dmpFilesize
64KB
-
memory/5008-148-0x0000000001200000-0x0000000001210000-memory.dmpFilesize
64KB