Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:14
Static task
static1
Behavioral task
behavioral1
Sample
b9c6c9838b6c8f0ee4142de9a4a15d79.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b9c6c9838b6c8f0ee4142de9a4a15d79.exe
Resource
win10v20201028
General
-
Target
b9c6c9838b6c8f0ee4142de9a4a15d79.exe
-
Size
31KB
-
MD5
b9c6c9838b6c8f0ee4142de9a4a15d79
-
SHA1
0b8facf9ac1e2c02f2cc719019e8f19225d25447
-
SHA256
3f9c4d9047bbdb5f2c575c11c9b7d43e94a8053ec7a03318ce82fcac84d74b14
-
SHA512
9aed75440268b61717356c9fec17022d5a08badc73036100b17437c2d959cc4fbd76cd13b1316c79a09c46a877939da40f1d0611fa6fa6915495eb0ae228fe0b
Malware Config
Extracted
njrat
0.7d
SQLi Dumper
osbios.net:3129
b3bb675697aae6a94367e8803b763fc4
-
reg_key
b3bb675697aae6a94367e8803b763fc4
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Microsoft Service.exepid process 2236 Microsoft Service.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Microsoft Service.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3bb675697aae6a94367e8803b763fc4.exe Microsoft Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3bb675697aae6a94367e8803b763fc4.exe Microsoft Service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Microsoft Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\b3bb675697aae6a94367e8803b763fc4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Service.exe\" .." Microsoft Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b3bb675697aae6a94367e8803b763fc4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Service.exe\" .." Microsoft Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Microsoft Service.exedescription pid process Token: SeDebugPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe Token: 33 2236 Microsoft Service.exe Token: SeIncBasePriorityPrivilege 2236 Microsoft Service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b9c6c9838b6c8f0ee4142de9a4a15d79.exeMicrosoft Service.exedescription pid process target process PID 3408 wrote to memory of 2236 3408 b9c6c9838b6c8f0ee4142de9a4a15d79.exe Microsoft Service.exe PID 3408 wrote to memory of 2236 3408 b9c6c9838b6c8f0ee4142de9a4a15d79.exe Microsoft Service.exe PID 3408 wrote to memory of 2236 3408 b9c6c9838b6c8f0ee4142de9a4a15d79.exe Microsoft Service.exe PID 2236 wrote to memory of 1316 2236 Microsoft Service.exe netsh.exe PID 2236 wrote to memory of 1316 2236 Microsoft Service.exe netsh.exe PID 2236 wrote to memory of 1316 2236 Microsoft Service.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9c6c9838b6c8f0ee4142de9a4a15d79.exe"C:\Users\Admin\AppData\Local\Temp\b9c6c9838b6c8f0ee4142de9a4a15d79.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Service.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Service.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft Service.exe" "Microsoft Service.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Service.exeMD5
b9c6c9838b6c8f0ee4142de9a4a15d79
SHA10b8facf9ac1e2c02f2cc719019e8f19225d25447
SHA2563f9c4d9047bbdb5f2c575c11c9b7d43e94a8053ec7a03318ce82fcac84d74b14
SHA5129aed75440268b61717356c9fec17022d5a08badc73036100b17437c2d959cc4fbd76cd13b1316c79a09c46a877939da40f1d0611fa6fa6915495eb0ae228fe0b
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Service.exeMD5
b9c6c9838b6c8f0ee4142de9a4a15d79
SHA10b8facf9ac1e2c02f2cc719019e8f19225d25447
SHA2563f9c4d9047bbdb5f2c575c11c9b7d43e94a8053ec7a03318ce82fcac84d74b14
SHA5129aed75440268b61717356c9fec17022d5a08badc73036100b17437c2d959cc4fbd76cd13b1316c79a09c46a877939da40f1d0611fa6fa6915495eb0ae228fe0b
-
memory/1316-5-0x0000000000000000-mapping.dmp
-
memory/2236-2-0x0000000000000000-mapping.dmp