Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-11-2020 23:18
Static task
static1
Behavioral task
behavioral1
Sample
z2d6Yt5v.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
z2d6Yt5v.exe
Resource
win10v20201028
General
-
Target
z2d6Yt5v.exe
-
Size
23KB
-
MD5
9bb6d4f72a348ad47cc97185604f4dd9
-
SHA1
7384957e8a29f517654fcbd905861574e772d3ed
-
SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
-
SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
Malware Config
Extracted
njrat
0.7d
Bouffon
noiphack93.hopto.org:5553
af48625ee196d906557ab2d838a9cc2f
-
reg_key
af48625ee196d906557ab2d838a9cc2f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Core Service.exepid process 1680 Core Service.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Core Service.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe Core Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe Core Service.exe -
Loads dropped DLL 1 IoCs
Processes:
z2d6Yt5v.exepid process 364 z2d6Yt5v.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Core Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .." Core Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .." Core Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Core Service.exedescription pid process Token: SeDebugPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe Token: 33 1680 Core Service.exe Token: SeIncBasePriorityPrivilege 1680 Core Service.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
z2d6Yt5v.exeCore Service.exedescription pid process target process PID 364 wrote to memory of 1680 364 z2d6Yt5v.exe Core Service.exe PID 364 wrote to memory of 1680 364 z2d6Yt5v.exe Core Service.exe PID 364 wrote to memory of 1680 364 z2d6Yt5v.exe Core Service.exe PID 364 wrote to memory of 1680 364 z2d6Yt5v.exe Core Service.exe PID 1680 wrote to memory of 848 1680 Core Service.exe netsh.exe PID 1680 wrote to memory of 848 1680 Core Service.exe netsh.exe PID 1680 wrote to memory of 848 1680 Core Service.exe netsh.exe PID 1680 wrote to memory of 848 1680 Core Service.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe"C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Core Service.exe"C:\Users\Admin\AppData\Local\Temp\Core Service.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Core Service.exe" "Core Service.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Core Service.exeMD5
9bb6d4f72a348ad47cc97185604f4dd9
SHA17384957e8a29f517654fcbd905861574e772d3ed
SHA2560a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA5123a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
-
C:\Users\Admin\AppData\Local\Temp\Core Service.exeMD5
9bb6d4f72a348ad47cc97185604f4dd9
SHA17384957e8a29f517654fcbd905861574e772d3ed
SHA2560a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA5123a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
-
\Users\Admin\AppData\Local\Temp\Core Service.exeMD5
9bb6d4f72a348ad47cc97185604f4dd9
SHA17384957e8a29f517654fcbd905861574e772d3ed
SHA2560a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA5123a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
-
memory/848-4-0x0000000000000000-mapping.dmp
-
memory/1680-1-0x0000000000000000-mapping.dmp