Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 23:18
Static task
static1
Behavioral task
behavioral1
Sample
z2d6Yt5v.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
z2d6Yt5v.exe
Resource
win10v20201028
General
-
Target
z2d6Yt5v.exe
-
Size
23KB
-
MD5
9bb6d4f72a348ad47cc97185604f4dd9
-
SHA1
7384957e8a29f517654fcbd905861574e772d3ed
-
SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
-
SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
Malware Config
Extracted
njrat
0.7d
Bouffon
noiphack93.hopto.org:5553
af48625ee196d906557ab2d838a9cc2f
-
reg_key
af48625ee196d906557ab2d838a9cc2f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Core Service.exetmp2B42.tmp.exetmp2B42.tmp.exepid process 868 Core Service.exe 4080 tmp2B42.tmp.exe 1640 tmp2B42.tmp.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 5 IoCs
Processes:
tmp2B42.tmp.exeCore Service.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe tmp2B42.tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.url tmp2B42.tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe Core Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe Core Service.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe tmp2B42.tmp.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Core Service.exetmp2B42.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .." Core Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .." Core Service.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2B42.tmp.exe\" .." tmp2B42.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2B42.tmp.exe\" .." tmp2B42.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
Core Service.exetmp2B42.tmp.exedescription pid process Token: SeDebugPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: SeDebugPrivilege 4080 tmp2B42.tmp.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe Token: 33 4080 tmp2B42.tmp.exe Token: SeIncBasePriorityPrivilege 4080 tmp2B42.tmp.exe Token: 33 4080 tmp2B42.tmp.exe Token: SeIncBasePriorityPrivilege 4080 tmp2B42.tmp.exe Token: 33 868 Core Service.exe Token: SeIncBasePriorityPrivilege 868 Core Service.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
z2d6Yt5v.exeCore Service.exetmp2B42.tmp.exetmp2B42.tmp.exedescription pid process target process PID 984 wrote to memory of 868 984 z2d6Yt5v.exe Core Service.exe PID 984 wrote to memory of 868 984 z2d6Yt5v.exe Core Service.exe PID 984 wrote to memory of 868 984 z2d6Yt5v.exe Core Service.exe PID 868 wrote to memory of 728 868 Core Service.exe netsh.exe PID 868 wrote to memory of 728 868 Core Service.exe netsh.exe PID 868 wrote to memory of 728 868 Core Service.exe netsh.exe PID 868 wrote to memory of 4080 868 Core Service.exe tmp2B42.tmp.exe PID 868 wrote to memory of 4080 868 Core Service.exe tmp2B42.tmp.exe PID 868 wrote to memory of 4080 868 Core Service.exe tmp2B42.tmp.exe PID 4080 wrote to memory of 2264 4080 tmp2B42.tmp.exe schtasks.exe PID 4080 wrote to memory of 2264 4080 tmp2B42.tmp.exe schtasks.exe PID 4080 wrote to memory of 2264 4080 tmp2B42.tmp.exe schtasks.exe PID 4080 wrote to memory of 824 4080 tmp2B42.tmp.exe schtasks.exe PID 4080 wrote to memory of 824 4080 tmp2B42.tmp.exe schtasks.exe PID 4080 wrote to memory of 824 4080 tmp2B42.tmp.exe schtasks.exe PID 1640 wrote to memory of 3180 1640 tmp2B42.tmp.exe schtasks.exe PID 1640 wrote to memory of 3180 1640 tmp2B42.tmp.exe schtasks.exe PID 1640 wrote to memory of 3180 1640 tmp2B42.tmp.exe schtasks.exe PID 1640 wrote to memory of 2472 1640 tmp2B42.tmp.exe schtasks.exe PID 1640 wrote to memory of 2472 1640 tmp2B42.tmp.exe schtasks.exe PID 1640 wrote to memory of 2472 1640 tmp2B42.tmp.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe"C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Core Service.exe"C:\Users\Admin\AppData\Local\Temp\Core Service.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Core Service.exe" "Core Service.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe" /sc minute /mo 14⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Core Service.exeMD5
9bb6d4f72a348ad47cc97185604f4dd9
SHA17384957e8a29f517654fcbd905861574e772d3ed
SHA2560a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA5123a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
-
C:\Users\Admin\AppData\Local\Temp\Core Service.exeMD5
9bb6d4f72a348ad47cc97185604f4dd9
SHA17384957e8a29f517654fcbd905861574e772d3ed
SHA2560a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA5123a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
-
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exeMD5
e313917d108e311f518d000a83349e42
SHA14d6561b1f4dda2e62106698ffd6b4be9e42b2bca
SHA256a7dc742ea2c45d9cfbdd20fcb07214f0cf6e1d2dddd76a01addb0fe42e8b979b
SHA5123e785fca574aa94cf7d41390e8bdb228fd6ace75212efff8ccbe7e062ede056688dc8e1b308c73f648bae06f492d021231c45b8203b7d079d79320e0ec6049fe
-
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exeMD5
e313917d108e311f518d000a83349e42
SHA14d6561b1f4dda2e62106698ffd6b4be9e42b2bca
SHA256a7dc742ea2c45d9cfbdd20fcb07214f0cf6e1d2dddd76a01addb0fe42e8b979b
SHA5123e785fca574aa94cf7d41390e8bdb228fd6ace75212efff8ccbe7e062ede056688dc8e1b308c73f648bae06f492d021231c45b8203b7d079d79320e0ec6049fe
-
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exeMD5
e313917d108e311f518d000a83349e42
SHA14d6561b1f4dda2e62106698ffd6b4be9e42b2bca
SHA256a7dc742ea2c45d9cfbdd20fcb07214f0cf6e1d2dddd76a01addb0fe42e8b979b
SHA5123e785fca574aa94cf7d41390e8bdb228fd6ace75212efff8ccbe7e062ede056688dc8e1b308c73f648bae06f492d021231c45b8203b7d079d79320e0ec6049fe
-
memory/728-3-0x0000000000000000-mapping.dmp
-
memory/824-8-0x0000000000000000-mapping.dmp
-
memory/868-0-0x0000000000000000-mapping.dmp
-
memory/2264-7-0x0000000000000000-mapping.dmp
-
memory/2472-11-0x0000000000000000-mapping.dmp
-
memory/3180-10-0x0000000000000000-mapping.dmp
-
memory/4080-4-0x0000000000000000-mapping.dmp