Analysis
-
max time kernel
173s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 11:01
Behavioral task
behavioral1
Sample
0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe
Resource
win7-20230220-en
General
-
Target
0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe
-
Size
37KB
-
MD5
baa50b16a350701da6b820ee83cee518
-
SHA1
dc3143b96da688aeb181f138bfea0d22946c5a48
-
SHA256
0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a
-
SHA512
66f2ae4aed5e6ed3a5e92e06ae6c77912c27dce23f0373e1f0f7036b3d7a6d7f3b02e52117b8c5a49e39c5cdc50a66480363bcdbc2ec1a564501554e91845cbf
-
SSDEEP
384:ETuHbo7gibtjpPu7w9qyMTKBn9csWiTNbrAF+rMRTyN/0L+EcoinblneHQM3epz:xsNN9ZMTKBG9iFrM+rMRa8Nuapt
Malware Config
Extracted
njrat
im523
HacKed
0.tcp.eu.ngrok.io:443
1b7052d5fd60d31df205c46057c84fe5
-
reg_key
1b7052d5fd60d31df205c46057c84fe5
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1220 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exeserver.exedescription pid process target process PID 1360 wrote to memory of 1220 1360 0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe server.exe PID 1360 wrote to memory of 1220 1360 0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe server.exe PID 1360 wrote to memory of 1220 1360 0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe server.exe PID 1220 wrote to memory of 2204 1220 server.exe netsh.exe PID 1220 wrote to memory of 2204 1220 server.exe netsh.exe PID 1220 wrote to memory of 2204 1220 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe"C:\Users\Admin\AppData\Local\Temp\0412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD5baa50b16a350701da6b820ee83cee518
SHA1dc3143b96da688aeb181f138bfea0d22946c5a48
SHA2560412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a
SHA51266f2ae4aed5e6ed3a5e92e06ae6c77912c27dce23f0373e1f0f7036b3d7a6d7f3b02e52117b8c5a49e39c5cdc50a66480363bcdbc2ec1a564501554e91845cbf
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD5baa50b16a350701da6b820ee83cee518
SHA1dc3143b96da688aeb181f138bfea0d22946c5a48
SHA2560412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a
SHA51266f2ae4aed5e6ed3a5e92e06ae6c77912c27dce23f0373e1f0f7036b3d7a6d7f3b02e52117b8c5a49e39c5cdc50a66480363bcdbc2ec1a564501554e91845cbf
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD5baa50b16a350701da6b820ee83cee518
SHA1dc3143b96da688aeb181f138bfea0d22946c5a48
SHA2560412ac372c744b3055f5cb77035ed85afb3c5468111f56c23ea0c44ee548f35a
SHA51266f2ae4aed5e6ed3a5e92e06ae6c77912c27dce23f0373e1f0f7036b3d7a6d7f3b02e52117b8c5a49e39c5cdc50a66480363bcdbc2ec1a564501554e91845cbf
-
memory/1220-144-0x0000000000DD0000-0x0000000000DE0000-memory.dmpFilesize
64KB
-
memory/1220-145-0x0000000000DD0000-0x0000000000DE0000-memory.dmpFilesize
64KB
-
memory/1360-133-0x0000000000750000-0x0000000000760000-memory.dmpFilesize
64KB
-
memory/1360-134-0x0000000000750000-0x0000000000760000-memory.dmpFilesize
64KB