Analysis
-
max time kernel
146s -
max time network
166s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
a4b89da90c002a6cb2753c9eaa2655de.exe
Resource
win7v20210410
General
-
Target
a4b89da90c002a6cb2753c9eaa2655de.exe
-
Size
31KB
-
MD5
a4b89da90c002a6cb2753c9eaa2655de
-
SHA1
11e80ffcc3bb1d9711aa46a6c0b9d21567a3e44a
-
SHA256
917ef72731455e80e3d49b198924d5810e539984bb6c6dbd238d518ed284d8c5
-
SHA512
421e0dd6660aeed60c6a5eea58bf5c4cfd6cebbdc4d9abca2d8a335bf3ba68afe7121eef45dec7a5bd46354a19cc815eb562337833e460c027c08e85887764dd
Malware Config
Extracted
njrat
0.7d
MyBot
4.tcp.ngrok.io:12601
ff9559ce9f577731b47f4f094b63f540
-
reg_key
ff9559ce9f577731b47f4f094b63f540
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 408 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe Token: 33 408 WindowsServices.exe Token: SeIncBasePriorityPrivilege 408 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a4b89da90c002a6cb2753c9eaa2655de.exeWindowsServices.exedescription pid process target process PID 796 wrote to memory of 408 796 a4b89da90c002a6cb2753c9eaa2655de.exe WindowsServices.exe PID 796 wrote to memory of 408 796 a4b89da90c002a6cb2753c9eaa2655de.exe WindowsServices.exe PID 796 wrote to memory of 408 796 a4b89da90c002a6cb2753c9eaa2655de.exe WindowsServices.exe PID 408 wrote to memory of 2328 408 WindowsServices.exe netsh.exe PID 408 wrote to memory of 2328 408 WindowsServices.exe netsh.exe PID 408 wrote to memory of 2328 408 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b89da90c002a6cb2753c9eaa2655de.exe"C:\Users\Admin\AppData\Local\Temp\a4b89da90c002a6cb2753c9eaa2655de.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
a4b89da90c002a6cb2753c9eaa2655de
SHA111e80ffcc3bb1d9711aa46a6c0b9d21567a3e44a
SHA256917ef72731455e80e3d49b198924d5810e539984bb6c6dbd238d518ed284d8c5
SHA512421e0dd6660aeed60c6a5eea58bf5c4cfd6cebbdc4d9abca2d8a335bf3ba68afe7121eef45dec7a5bd46354a19cc815eb562337833e460c027c08e85887764dd
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
a4b89da90c002a6cb2753c9eaa2655de
SHA111e80ffcc3bb1d9711aa46a6c0b9d21567a3e44a
SHA256917ef72731455e80e3d49b198924d5810e539984bb6c6dbd238d518ed284d8c5
SHA512421e0dd6660aeed60c6a5eea58bf5c4cfd6cebbdc4d9abca2d8a335bf3ba68afe7121eef45dec7a5bd46354a19cc815eb562337833e460c027c08e85887764dd
-
memory/408-115-0x0000000000000000-mapping.dmp
-
memory/408-118-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/796-114-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/2328-119-0x0000000000000000-mapping.dmp