Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:45
Static task
static1
Behavioral task
behavioral1
Sample
d7d409bba14e1deb37b6c589a6e21a85.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d7d409bba14e1deb37b6c589a6e21a85.exe
Resource
win10v20201028
General
-
Target
d7d409bba14e1deb37b6c589a6e21a85.exe
-
Size
23KB
-
MD5
d7d409bba14e1deb37b6c589a6e21a85
-
SHA1
77553fab55f20d963c193403e3d616af9e534423
-
SHA256
4ba5a3bf2d29ffad2ac84dcf7b86adaf1918476f1ec28ee23c457a5fbfa13d5c
-
SHA512
0cb65ce4c283334ba1c9bc3f5c390b8aee422369479da99f12e3ea54c90aa350128b2863e9a19c24017fffec1e6675d45aceeb5d4f2187212471a7e29a440702
Malware Config
Extracted
njrat
Madest 0.7d
HacKed
2.tcp.ngrok.io:19473
604f175a359f0dc228c1d0efe969a277
-
reg_key
604f175a359f0dc228c1d0efe969a277
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wslend.exepid process 1724 wslend.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
wslend.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\604f175a359f0dc228c1d0efe969a277.exe wslend.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\604f175a359f0dc228c1d0efe969a277.exe wslend.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wslend.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\604f175a359f0dc228c1d0efe969a277 = "\"C:\\Windows\\wslend.exe\" .." wslend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\604f175a359f0dc228c1d0efe969a277 = "\"C:\\Windows\\wslend.exe\" .." wslend.exe -
Drops file in Windows directory 1 IoCs
Processes:
d7d409bba14e1deb37b6c589a6e21a85.exedescription ioc process File created C:\Windows\wslend.exe d7d409bba14e1deb37b6c589a6e21a85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
wslend.exedescription pid process Token: SeDebugPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe Token: 33 1724 wslend.exe Token: SeIncBasePriorityPrivilege 1724 wslend.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d7d409bba14e1deb37b6c589a6e21a85.exewslend.exedescription pid process target process PID 1992 wrote to memory of 1724 1992 d7d409bba14e1deb37b6c589a6e21a85.exe wslend.exe PID 1992 wrote to memory of 1724 1992 d7d409bba14e1deb37b6c589a6e21a85.exe wslend.exe PID 1992 wrote to memory of 1724 1992 d7d409bba14e1deb37b6c589a6e21a85.exe wslend.exe PID 1992 wrote to memory of 1724 1992 d7d409bba14e1deb37b6c589a6e21a85.exe wslend.exe PID 1724 wrote to memory of 788 1724 wslend.exe netsh.exe PID 1724 wrote to memory of 788 1724 wslend.exe netsh.exe PID 1724 wrote to memory of 788 1724 wslend.exe netsh.exe PID 1724 wrote to memory of 788 1724 wslend.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7d409bba14e1deb37b6c589a6e21a85.exe"C:\Users\Admin\AppData\Local\Temp\d7d409bba14e1deb37b6c589a6e21a85.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\wslend.exe"C:\Windows\wslend.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\wslend.exe" "wslend.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\wslend.exeMD5
d7d409bba14e1deb37b6c589a6e21a85
SHA177553fab55f20d963c193403e3d616af9e534423
SHA2564ba5a3bf2d29ffad2ac84dcf7b86adaf1918476f1ec28ee23c457a5fbfa13d5c
SHA5120cb65ce4c283334ba1c9bc3f5c390b8aee422369479da99f12e3ea54c90aa350128b2863e9a19c24017fffec1e6675d45aceeb5d4f2187212471a7e29a440702
-
C:\Windows\wslend.exeMD5
d7d409bba14e1deb37b6c589a6e21a85
SHA177553fab55f20d963c193403e3d616af9e534423
SHA2564ba5a3bf2d29ffad2ac84dcf7b86adaf1918476f1ec28ee23c457a5fbfa13d5c
SHA5120cb65ce4c283334ba1c9bc3f5c390b8aee422369479da99f12e3ea54c90aa350128b2863e9a19c24017fffec1e6675d45aceeb5d4f2187212471a7e29a440702
-
memory/788-5-0x0000000000000000-mapping.dmp
-
memory/1724-2-0x0000000000000000-mapping.dmp