a151949391ff0a79a79dee5f1fbfaf2609603cb850673ccbf5485590da756ff1

General

Target

rab.exe
Size

360KB
MD5

3050c9bdf485aa7097ce4429de953ed0
SHA1

88c5344d5c4e890dbac50b9efc1b3460f99f76b6
SHA256

a151949391ff0a79a79dee5f1fbfaf2609603cb850673ccbf5485590da756ff1
SHA512

8ed96ca6397f7e7b20d9b407d5529a160ca125cfa8ec303129c54cd7d792a29e83bcc81f7954beb568aa76ebea1a6974c7448cf8b88d0af7561c6e44f1d0f413
SSDEEP

6144:PYa6vFb8Dv3P/9SlyoQFobpJuzM3BQBr9Jm4YgdY+kPgkDabiPCQeg2k1hayw:PY9FAj39SYoQFwzBQBr9cP+JkDabiktn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation	njadqpwky.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	njadqpwky.exe
2612	njadqpwky.exe

Loads dropped DLL 3 IoCs

pid	Process
856	rab.exe
2708	njadqpwky.exe
2604	netsh.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2612	2708	njadqpwky.exe	30
PID 2612 set thread context of 1268	2612	njadqpwky.exe	8
PID 2612 set thread context of 2604	2612	njadqpwky.exe	31
PID 2604 set thread context of 1268	2604	netsh.exe	8

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3750544865-3773649541-1858556521-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2612	njadqpwky.exe
2612	njadqpwky.exe
2612	njadqpwky.exe
2612	njadqpwky.exe
2612	njadqpwky.exe
2612	njadqpwky.exe
2612	njadqpwky.exe
2612	njadqpwky.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2708	njadqpwky.exe
2612	njadqpwky.exe
1268	Explorer.EXE
1268	Explorer.EXE
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe
2604	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	njadqpwky.exe
Token: SeDebugPrivilege	2604	netsh.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2708	856	rab.exe	29
PID 856 wrote to memory of 2708	856	rab.exe	29
PID 856 wrote to memory of 2708	856	rab.exe	29
PID 856 wrote to memory of 2708	856	rab.exe	29
PID 2708 wrote to memory of 2612	2708	njadqpwky.exe	30
PID 2708 wrote to memory of 2612	2708	njadqpwky.exe	30
PID 2708 wrote to memory of 2612	2708	njadqpwky.exe	30
PID 2708 wrote to memory of 2612	2708	njadqpwky.exe	30
PID 2708 wrote to memory of 2612	2708	njadqpwky.exe	30
PID 1268 wrote to memory of 2604	1268	Explorer.EXE	31
PID 1268 wrote to memory of 2604	1268	Explorer.EXE	31
PID 1268 wrote to memory of 2604	1268	Explorer.EXE	31
PID 1268 wrote to memory of 2604	1268	Explorer.EXE	31
PID 2604 wrote to memory of 1580	2604	netsh.exe	34
PID 2604 wrote to memory of 1580	2604	netsh.exe	34
PID 2604 wrote to memory of 1580	2604	netsh.exe	34
PID 2604 wrote to memory of 1580	2604	netsh.exe	34
PID 2604 wrote to memory of 1580	2604	netsh.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\rab.exe
  "C:\Users\Admin\AppData\Local\Temp\rab.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe
    "C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe
      "C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2612
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mpkzzxp.ebx

Filesize
249KB

MD5
8c6ddc730c2c32558734bf7221b83e6d

SHA1
577d88ede7677f5ab74b0b695191dfd34e3479a2

SHA256
7d3506a6b173a6e74b569d15976b8a6d814b365591c793a031c15aa95fc61c5c

SHA512
cd33e370ce0a6376fc054229cb11bfa8ba92e390c3888e27dce2dea34cf59b8658bc7c73e1f290d8ef675cb1c3c2c3df331d3b9f45e571792af162d0d68fc219

Download Submit
C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe

Filesize
167KB

MD5
0e097c2fae71ee1b100c1d63d266f6f6

SHA1
f960ef1573bf625540fc3dd56561ad9bf964f963

SHA256
81ce24af9cecc2a688e792e28bed543e2d1876b7b492fe18bc05fbbb574b7ef2

SHA512
c5a78030a9529bf677e4a1000793444749d115417fa698a212cbdcfdf4d826d94e1653592bb0e9e7e077de050690d3a2b86af352caeaea73f285d00c728c1d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe

Filesize
167KB

MD5
0e097c2fae71ee1b100c1d63d266f6f6

SHA1
f960ef1573bf625540fc3dd56561ad9bf964f963

SHA256
81ce24af9cecc2a688e792e28bed543e2d1876b7b492fe18bc05fbbb574b7ef2

SHA512
c5a78030a9529bf677e4a1000793444749d115417fa698a212cbdcfdf4d826d94e1653592bb0e9e7e077de050690d3a2b86af352caeaea73f285d00c728c1d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\njadqpwky.exe

Filesize
167KB

MD5
0e097c2fae71ee1b100c1d63d266f6f6

SHA1
f960ef1573bf625540fc3dd56561ad9bf964f963

SHA256
81ce24af9cecc2a688e792e28bed543e2d1876b7b492fe18bc05fbbb574b7ef2

SHA512
c5a78030a9529bf677e4a1000793444749d115417fa698a212cbdcfdf4d826d94e1653592bb0e9e7e077de050690d3a2b86af352caeaea73f285d00c728c1d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpl88dh.zip

Filesize
429KB

MD5
16f94aee2d9a53bf8e58722679063051

SHA1
b1495ea7c4b2cad58404e051c144ac49323f95ee

SHA256
43a12cc1c155d0bb9686a1fcbc90babc9e99dbec475bddc2acacf31bd2b159e8

SHA512
9eaa6f61ecbadccdec565e32d5559e795365adacdbc0ff7362612b4d623117ce821817c7b7ac41538e765e7e0887b0ff2512f860a80662322a22524d4da13b36

Download Submit
\Users\Admin\AppData\Local\Temp\njadqpwky.exe

Filesize
167KB

MD5
0e097c2fae71ee1b100c1d63d266f6f6

SHA1
f960ef1573bf625540fc3dd56561ad9bf964f963

SHA256
81ce24af9cecc2a688e792e28bed543e2d1876b7b492fe18bc05fbbb574b7ef2

SHA512
c5a78030a9529bf677e4a1000793444749d115417fa698a212cbdcfdf4d826d94e1653592bb0e9e7e077de050690d3a2b86af352caeaea73f285d00c728c1d11

Download Submit
\Users\Admin\AppData\Local\Temp\njadqpwky.exe

Filesize
167KB

MD5
0e097c2fae71ee1b100c1d63d266f6f6

SHA1
f960ef1573bf625540fc3dd56561ad9bf964f963

SHA256
81ce24af9cecc2a688e792e28bed543e2d1876b7b492fe18bc05fbbb574b7ef2

SHA512
c5a78030a9529bf677e4a1000793444749d115417fa698a212cbdcfdf4d826d94e1653592bb0e9e7e077de050690d3a2b86af352caeaea73f285d00c728c1d11

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
819KB

MD5
eda40ea55ff2eb2a2e5aca836bb1cc26

SHA1
6de11b4b121bc8b9b87b05ddbdd6eda4e9442c37

SHA256
330b88eacb778b86dff1a90189121e8b3280723be9fbf4e55174ede2bbf74af0

SHA512
caf63f50931f76ec919528dedfb8b6ee14590f5aa33f91a6b9c24f63c0f3851cffdc16eab976ee7d6140f383050050d26f3547743b5ae772001b8f6199f0a4fc

Download Submit
memory/1268-32-0x00000000068E0000-0x00000000069CC000-memory.dmp

Filesize
944KB

Download
memory/1268-29-0x00000000068E0000-0x00000000069CC000-memory.dmp

Filesize
944KB

Download
memory/1268-28-0x00000000068E0000-0x00000000069CC000-memory.dmp

Filesize
944KB

Download
memory/1268-27-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/1268-21-0x0000000008800000-0x0000000009520000-memory.dmp

Filesize
13.1MB

Download
memory/1268-18-0x0000000008800000-0x0000000009520000-memory.dmp

Filesize
13.1MB

Download
memory/2604-19-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2604-30-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2604-73-0x0000000061E00000-0x0000000061EBA000-memory.dmp

Filesize
744KB

Download
memory/2604-22-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2604-31-0x0000000000BB0000-0x0000000000C53000-memory.dmp

Filesize
652KB

Download
memory/2604-24-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/2604-25-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2604-26-0x0000000000BB0000-0x0000000000C53000-memory.dmp

Filesize
652KB

Download
memory/2612-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-13-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/2612-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-17-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/2708-6-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing