Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2023 09:35
Behavioral task
behavioral1
Sample
c0d00e3956e2dfeadee3ca654d8cb54c.exe
Resource
win7-20230220-en
General
-
Target
c0d00e3956e2dfeadee3ca654d8cb54c.exe
-
Size
43KB
-
MD5
c0d00e3956e2dfeadee3ca654d8cb54c
-
SHA1
0bd886d04f96f4bff5b04c169d0984540fb35300
-
SHA256
b43959f8924a76b63b8300fb1d7f3943736d9c58e8c079e11bb17390949ed894
-
SHA512
90a03de70316c930828b99381867ef1c032ff91ddeb79a4190c09d09225f7d898dda0385b580aa9a465ecf646a25e41cf80bad922adc876e6e1b9228f971899a
-
SSDEEP
384:9ZyYoFkV6Lk8y85nbjX1moyOoE6+0J6dHbzzIij+ZsNO3PlpJKkkjh/TzF7pWnm2:3toFksY5ebjX1moRqJ6uuXQ/oHt2+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
Hacker
5.tcp.eu.ngrok.io:15728
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c0d00e3956e2dfeadee3ca654d8cb54c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation c0d00e3956e2dfeadee3ca654d8cb54c.exe -
Executes dropped EXE 1 IoCs
Processes:
WinRar.exepid process 3308 WinRar.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
c0d00e3956e2dfeadee3ca654d8cb54c.exedescription ioc process File created C:\Windows\WinRar.exe c0d00e3956e2dfeadee3ca654d8cb54c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
c0d00e3956e2dfeadee3ca654d8cb54c.exeWinRar.exepid process 3084 c0d00e3956e2dfeadee3ca654d8cb54c.exe 3308 WinRar.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WinRar.exedescription pid process Token: SeDebugPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe Token: 33 3308 WinRar.exe Token: SeIncBasePriorityPrivilege 3308 WinRar.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c0d00e3956e2dfeadee3ca654d8cb54c.exedescription pid process target process PID 3084 wrote to memory of 3308 3084 c0d00e3956e2dfeadee3ca654d8cb54c.exe WinRar.exe PID 3084 wrote to memory of 3308 3084 c0d00e3956e2dfeadee3ca654d8cb54c.exe WinRar.exe PID 3084 wrote to memory of 3308 3084 c0d00e3956e2dfeadee3ca654d8cb54c.exe WinRar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0d00e3956e2dfeadee3ca654d8cb54c.exe"C:\Users\Admin\AppData\Local\Temp\c0d00e3956e2dfeadee3ca654d8cb54c.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\WinRar.exe"C:\Windows\WinRar.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WinRar.exeFilesize
43KB
MD5c0d00e3956e2dfeadee3ca654d8cb54c
SHA10bd886d04f96f4bff5b04c169d0984540fb35300
SHA256b43959f8924a76b63b8300fb1d7f3943736d9c58e8c079e11bb17390949ed894
SHA51290a03de70316c930828b99381867ef1c032ff91ddeb79a4190c09d09225f7d898dda0385b580aa9a465ecf646a25e41cf80bad922adc876e6e1b9228f971899a
-
C:\Windows\WinRar.exeFilesize
43KB
MD5c0d00e3956e2dfeadee3ca654d8cb54c
SHA10bd886d04f96f4bff5b04c169d0984540fb35300
SHA256b43959f8924a76b63b8300fb1d7f3943736d9c58e8c079e11bb17390949ed894
SHA51290a03de70316c930828b99381867ef1c032ff91ddeb79a4190c09d09225f7d898dda0385b580aa9a465ecf646a25e41cf80bad922adc876e6e1b9228f971899a
-
C:\Windows\WinRar.exeFilesize
43KB
MD5c0d00e3956e2dfeadee3ca654d8cb54c
SHA10bd886d04f96f4bff5b04c169d0984540fb35300
SHA256b43959f8924a76b63b8300fb1d7f3943736d9c58e8c079e11bb17390949ed894
SHA51290a03de70316c930828b99381867ef1c032ff91ddeb79a4190c09d09225f7d898dda0385b580aa9a465ecf646a25e41cf80bad922adc876e6e1b9228f971899a
-
memory/3084-136-0x00000000053E0000-0x0000000005472000-memory.dmpFilesize
584KB
-
memory/3084-137-0x0000000005000000-0x0000000005010000-memory.dmpFilesize
64KB
-
memory/3084-138-0x0000000005000000-0x0000000005010000-memory.dmpFilesize
64KB
-
memory/3084-133-0x0000000000630000-0x0000000000642000-memory.dmpFilesize
72KB
-
memory/3084-135-0x0000000005890000-0x0000000005E34000-memory.dmpFilesize
5.6MB
-
memory/3084-134-0x0000000005020000-0x00000000050BC000-memory.dmpFilesize
624KB
-
memory/3308-148-0x00000000055F0000-0x0000000005600000-memory.dmpFilesize
64KB
-
memory/3308-149-0x0000000005700000-0x000000000570A000-memory.dmpFilesize
40KB
-
memory/3308-150-0x00000000059E0000-0x0000000005A46000-memory.dmpFilesize
408KB
-
memory/3308-151-0x00000000055F0000-0x0000000005600000-memory.dmpFilesize
64KB