Analysis
-
max time kernel
147s -
max time network
182s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-05-2021 11:26
Static task
static1
Behavioral task
behavioral1
Sample
B7272AB1D83A3CAE498E513E0CFF087F.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
B7272AB1D83A3CAE498E513E0CFF087F.exe
Resource
win10v20210410
General
-
Target
B7272AB1D83A3CAE498E513E0CFF087F.exe
-
Size
56KB
-
MD5
b7272ab1d83a3cae498e513e0cff087f
-
SHA1
7729415361e73ac4730f2c53e33d65ad892efde7
-
SHA256
96e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
-
SHA512
0f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
Malware Config
Extracted
njrat
0.7d
MyBot
ratnk.duckdns.org:1605
b0cb8ce9e5434c245c6380f65c492e81
-
reg_key
b0cb8ce9e5434c245c6380f65c492e81
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WindowsServices.exeWindowsServices.exepid process 500 WindowsServices.exe 1628 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exeWindowsServices.exepid process 1992 B7272AB1D83A3CAE498E513E0CFF087F.exe 500 WindowsServices.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CkAxNALyWL = "C:\\Users\\Admin\\AppData\\Roaming\\ZmFSAqsNCM\\yNDFQpcPWY.exe" B7272AB1D83A3CAE498E513E0CFF087F.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exeWindowsServices.exedescription pid process target process PID 1832 set thread context of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 500 set thread context of 1628 500 WindowsServices.exe WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe Token: 33 1628 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1628 WindowsServices.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exeB7272AB1D83A3CAE498E513E0CFF087F.exeWindowsServices.exeWindowsServices.exedescription pid process target process PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1832 wrote to memory of 1992 1832 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1992 wrote to memory of 500 1992 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 1992 wrote to memory of 500 1992 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 1992 wrote to memory of 500 1992 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 1992 wrote to memory of 500 1992 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 500 wrote to memory of 1628 500 WindowsServices.exe WindowsServices.exe PID 1628 wrote to memory of 1700 1628 WindowsServices.exe netsh.exe PID 1628 wrote to memory of 1700 1628 WindowsServices.exe netsh.exe PID 1628 wrote to memory of 1700 1628 WindowsServices.exe netsh.exe PID 1628 wrote to memory of 1700 1628 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
memory/500-70-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/500-67-0x0000000000000000-mapping.dmp
-
memory/1628-75-0x000000000040952E-mapping.dmp
-
memory/1628-81-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1700-79-0x0000000000000000-mapping.dmp
-
memory/1700-80-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1832-61-0x0000000000210000-0x0000000000213000-memory.dmpFilesize
12KB
-
memory/1832-59-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1992-62-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1992-63-0x000000000040952E-mapping.dmp
-
memory/1992-64-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB