Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
08-05-2021 16:01
Static task
static1
Behavioral task
behavioral1
Sample
3daf792075ad0eeacae676b0d7f80a68.exe
Resource
win7v20210410
General
-
Target
3daf792075ad0eeacae676b0d7f80a68.exe
-
Size
31KB
-
MD5
3daf792075ad0eeacae676b0d7f80a68
-
SHA1
7b2da0cac13461f09bfba7fad96253e517098ce7
-
SHA256
cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a
-
SHA512
da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff
Malware Config
Extracted
njrat
0.7d
MyBot
6.tcp.ngrok.io:12336
442e245fdc9bd3433e2f89240f0d3737
-
reg_key
442e245fdc9bd3433e2f89240f0d3737
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1276 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
3daf792075ad0eeacae676b0d7f80a68.exepid process 1688 3daf792075ad0eeacae676b0d7f80a68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe Token: 33 1276 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1276 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3daf792075ad0eeacae676b0d7f80a68.exeWindowsServices.exedescription pid process target process PID 1688 wrote to memory of 1276 1688 3daf792075ad0eeacae676b0d7f80a68.exe WindowsServices.exe PID 1688 wrote to memory of 1276 1688 3daf792075ad0eeacae676b0d7f80a68.exe WindowsServices.exe PID 1688 wrote to memory of 1276 1688 3daf792075ad0eeacae676b0d7f80a68.exe WindowsServices.exe PID 1688 wrote to memory of 1276 1688 3daf792075ad0eeacae676b0d7f80a68.exe WindowsServices.exe PID 1276 wrote to memory of 1628 1276 WindowsServices.exe netsh.exe PID 1276 wrote to memory of 1628 1276 WindowsServices.exe netsh.exe PID 1276 wrote to memory of 1628 1276 WindowsServices.exe netsh.exe PID 1276 wrote to memory of 1628 1276 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3daf792075ad0eeacae676b0d7f80a68.exe"C:\Users\Admin\AppData\Local\Temp\3daf792075ad0eeacae676b0d7f80a68.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
3daf792075ad0eeacae676b0d7f80a68
SHA17b2da0cac13461f09bfba7fad96253e517098ce7
SHA256cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a
SHA512da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
3daf792075ad0eeacae676b0d7f80a68
SHA17b2da0cac13461f09bfba7fad96253e517098ce7
SHA256cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a
SHA512da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
3daf792075ad0eeacae676b0d7f80a68
SHA17b2da0cac13461f09bfba7fad96253e517098ce7
SHA256cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a
SHA512da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff
-
memory/1276-63-0x0000000000000000-mapping.dmp
-
memory/1276-67-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/1628-68-0x0000000000000000-mapping.dmp
-
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1688-61-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB