Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 01:01
Behavioral task
behavioral1
Sample
0aa0dd946e722343b08540a7a0cf1c40.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0aa0dd946e722343b08540a7a0cf1c40.exe
Resource
win10v2004-20240426-en
General
-
Target
0aa0dd946e722343b08540a7a0cf1c40.exe
-
Size
5.8MB
-
MD5
0aa0dd946e722343b08540a7a0cf1c40
-
SHA1
8db0fc9b7e24f6c73aba7c54dea94569e6c5c615
-
SHA256
8ae39d58cf11900e7c6ddfcfce20c37e6e1820bd81b47787f8d47bab83e986ef
-
SHA512
c39f4c257a8faf6a2a0d6bdb05ab6c497750a22db88febbfe3c2e3c44776b7201ea23c0fe2ae2f4d0f7d001130b8d3372cd1adbd56ba1eea69ce793466ad7873
-
SSDEEP
98304:WvwH6P2uW5MI079g+DgeFahftplflf6dUwOEH6d8e6b0+hb5y94kAFq:WvwH6eL2V76+DgTNfwZHYY17Y4hw
Malware Config
Extracted
njrat
im523
Xbox Game Studios
kids-notified.at.ply.gg:3845
28025540980d0ce611318033102f9151
-
reg_key
28025540980d0ce611318033102f9151
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4496 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INST.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation INST.exe -
Drops startup file 2 IoCs
Processes:
groundedactivator.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28025540980d0ce611318033102f9151.exe groundedactivator.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28025540980d0ce611318033102f9151.exe groundedactivator.exe -
Executes dropped EXE 2 IoCs
Processes:
INST.exegroundedactivator.exepid process 4864 INST.exe 2384 groundedactivator.exe -
Loads dropped DLL 2 IoCs
Processes:
0aa0dd946e722343b08540a7a0cf1c40.exepid process 4304 0aa0dd946e722343b08540a7a0cf1c40.exe 4304 0aa0dd946e722343b08540a7a0cf1c40.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
groundedactivator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28025540980d0ce611318033102f9151 = "\"C:\\Users\\Admin\\AppData\\Roaming\\groundedactivator.exe\" .." groundedactivator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28025540980d0ce611318033102f9151 = "\"C:\\Users\\Admin\\AppData\\Roaming\\groundedactivator.exe\" .." groundedactivator.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
groundedactivator.exedescription ioc process File opened for modification F:\autorun.inf groundedactivator.exe File created C:\autorun.inf groundedactivator.exe File opened for modification C:\autorun.inf groundedactivator.exe File created D:\autorun.inf groundedactivator.exe File created F:\autorun.inf groundedactivator.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
groundedactivator.exepid process 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe 2384 groundedactivator.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
groundedactivator.exepid process 2384 groundedactivator.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
groundedactivator.exedescription pid process Token: SeDebugPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe Token: 33 2384 groundedactivator.exe Token: SeIncBasePriorityPrivilege 2384 groundedactivator.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0aa0dd946e722343b08540a7a0cf1c40.exe0aa0dd946e722343b08540a7a0cf1c40.execmd.exeINST.exegroundedactivator.exedescription pid process target process PID 1240 wrote to memory of 4304 1240 0aa0dd946e722343b08540a7a0cf1c40.exe 0aa0dd946e722343b08540a7a0cf1c40.exe PID 1240 wrote to memory of 4304 1240 0aa0dd946e722343b08540a7a0cf1c40.exe 0aa0dd946e722343b08540a7a0cf1c40.exe PID 4304 wrote to memory of 3248 4304 0aa0dd946e722343b08540a7a0cf1c40.exe cmd.exe PID 4304 wrote to memory of 3248 4304 0aa0dd946e722343b08540a7a0cf1c40.exe cmd.exe PID 4304 wrote to memory of 3360 4304 0aa0dd946e722343b08540a7a0cf1c40.exe cmd.exe PID 4304 wrote to memory of 3360 4304 0aa0dd946e722343b08540a7a0cf1c40.exe cmd.exe PID 3360 wrote to memory of 4864 3360 cmd.exe INST.exe PID 3360 wrote to memory of 4864 3360 cmd.exe INST.exe PID 3360 wrote to memory of 4864 3360 cmd.exe INST.exe PID 4864 wrote to memory of 2384 4864 INST.exe groundedactivator.exe PID 4864 wrote to memory of 2384 4864 INST.exe groundedactivator.exe PID 4864 wrote to memory of 2384 4864 INST.exe groundedactivator.exe PID 2384 wrote to memory of 4496 2384 groundedactivator.exe netsh.exe PID 2384 wrote to memory of 4496 2384 groundedactivator.exe netsh.exe PID 2384 wrote to memory of 4496 2384 groundedactivator.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40.exe"C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40.exe"C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SYSTEM32\cmd.execmd /c echo %temp%3⤵PID:3248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\INST.exeC:\Users\Admin\AppData\Local\Temp\INST.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Roaming\groundedactivator.exe"C:\Users\Admin\AppData\Roaming\groundedactivator.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\groundedactivator.exe" "groundedactivator.exe" ENABLE6⤵
- Modifies Windows Firewall
PID:4496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5fd24c519c72937a7f150745ccacc9b1b
SHA123677305457d245f5104bb3ecd4c562d52e052e6
SHA256d117884a2b2ccfc147f8c667874feeb70335fb88e6a3d03584083d975c00c83e
SHA512d430e545d524634e6ea7989777ed4a75857689bbdb0fa5451dd9e99990323b3ed82588d91d85a980e0e76a804117c0281443716b4072f97e0fc8f628a2889d3c
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
1.0MB
MD5e75eb8bcc934a2f3ca49a0a9227f2edf
SHA1b47a41bc9dab963ea89d679b02a7ede92c6c7516
SHA2560580066426cc1e4cbea64c459ec9a951fd6d62d93c1149c11386e96f32b7e345
SHA51269cd7ecf412e006cdb9115ca93fd0103c236a36268478fbdd2777fb8c368f636d705b24f30095ae5854bc2b432660e12ead41621f4b031341ce4cb695349ef73
-
Filesize
4.2MB
MD5e9c0fbc99d19eeedad137557f4a0ab21
SHA18945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA2565783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA51274e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b