Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 20:27
Static task
static1
Behavioral task
behavioral1
Sample
27643633696fa248a0b4c71e49615434.exe
Resource
win7v20210408
General
-
Target
27643633696fa248a0b4c71e49615434.exe
-
Size
31KB
-
MD5
27643633696fa248a0b4c71e49615434
-
SHA1
649381492b07b574498b09fb8660594c01051860
-
SHA256
8a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81
-
SHA512
a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e
Malware Config
Extracted
njrat
0.7d
MyBot
4.tcp.ngrok.io:13423
5b1aa42c8adf5af0231d2d07c548dec2
-
reg_key
5b1aa42c8adf5af0231d2d07c548dec2
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1580 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
27643633696fa248a0b4c71e49615434.exepid process 1820 27643633696fa248a0b4c71e49615434.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe Token: 33 1580 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1580 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
27643633696fa248a0b4c71e49615434.exeWindowsServices.exedescription pid process target process PID 1820 wrote to memory of 1580 1820 27643633696fa248a0b4c71e49615434.exe WindowsServices.exe PID 1820 wrote to memory of 1580 1820 27643633696fa248a0b4c71e49615434.exe WindowsServices.exe PID 1820 wrote to memory of 1580 1820 27643633696fa248a0b4c71e49615434.exe WindowsServices.exe PID 1820 wrote to memory of 1580 1820 27643633696fa248a0b4c71e49615434.exe WindowsServices.exe PID 1580 wrote to memory of 768 1580 WindowsServices.exe netsh.exe PID 1580 wrote to memory of 768 1580 WindowsServices.exe netsh.exe PID 1580 wrote to memory of 768 1580 WindowsServices.exe netsh.exe PID 1580 wrote to memory of 768 1580 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27643633696fa248a0b4c71e49615434.exe"C:\Users\Admin\AppData\Local\Temp\27643633696fa248a0b4c71e49615434.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
27643633696fa248a0b4c71e49615434
SHA1649381492b07b574498b09fb8660594c01051860
SHA2568a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81
SHA512a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
27643633696fa248a0b4c71e49615434
SHA1649381492b07b574498b09fb8660594c01051860
SHA2568a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81
SHA512a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
27643633696fa248a0b4c71e49615434
SHA1649381492b07b574498b09fb8660594c01051860
SHA2568a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81
SHA512a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e
-
memory/768-68-0x0000000000000000-mapping.dmp
-
memory/1580-63-0x0000000000000000-mapping.dmp
-
memory/1580-67-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1820-61-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB