Analysis
-
max time kernel
146s -
max time network
189s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-05-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
B7272AB1D83A3CAE498E513E0CFF087F.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
B7272AB1D83A3CAE498E513E0CFF087F.exe
Resource
win10v20210410
General
-
Target
B7272AB1D83A3CAE498E513E0CFF087F.exe
-
Size
56KB
-
MD5
b7272ab1d83a3cae498e513e0cff087f
-
SHA1
7729415361e73ac4730f2c53e33d65ad892efde7
-
SHA256
96e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
-
SHA512
0f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
Malware Config
Extracted
njrat
0.7d
MyBot
ratnk.duckdns.org:1605
b0cb8ce9e5434c245c6380f65c492e81
-
reg_key
b0cb8ce9e5434c245c6380f65c492e81
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WindowsServices.exeWindowsServices.exepid process 572 WindowsServices.exe 748 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exeWindowsServices.exepid process 1780 B7272AB1D83A3CAE498E513E0CFF087F.exe 572 WindowsServices.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CkAxNALyWL = "C:\\Users\\Admin\\AppData\\Roaming\\ZmFSAqsNCM\\yNDFQpcPWY.exe" B7272AB1D83A3CAE498E513E0CFF087F.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exeWindowsServices.exedescription pid process target process PID 1576 set thread context of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 572 set thread context of 748 572 WindowsServices.exe WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe Token: 33 748 WindowsServices.exe Token: SeIncBasePriorityPrivilege 748 WindowsServices.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
B7272AB1D83A3CAE498E513E0CFF087F.exeB7272AB1D83A3CAE498E513E0CFF087F.exeWindowsServices.exeWindowsServices.exedescription pid process target process PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1576 wrote to memory of 1780 1576 B7272AB1D83A3CAE498E513E0CFF087F.exe B7272AB1D83A3CAE498E513E0CFF087F.exe PID 1780 wrote to memory of 572 1780 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 1780 wrote to memory of 572 1780 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 1780 wrote to memory of 572 1780 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 1780 wrote to memory of 572 1780 B7272AB1D83A3CAE498E513E0CFF087F.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 572 wrote to memory of 748 572 WindowsServices.exe WindowsServices.exe PID 748 wrote to memory of 956 748 WindowsServices.exe netsh.exe PID 748 wrote to memory of 956 748 WindowsServices.exe netsh.exe PID 748 wrote to memory of 956 748 WindowsServices.exe netsh.exe PID 748 wrote to memory of 956 748 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"C:\Users\Admin\AppData\Local\Temp\B7272AB1D83A3CAE498E513E0CFF087F.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
b7272ab1d83a3cae498e513e0cff087f
SHA17729415361e73ac4730f2c53e33d65ad892efde7
SHA25696e438e2623b95267817cfa70cb9ebe627c4a051662b5af7162bc671ae32b8cf
SHA5120f00c0bcff463324a41e462f58d6673e1db634272f967b471d355aee62e0e02c959cbfed70bbc931d3bc03ee46f303f0b50a9d68570f582d566f4fa6c81eb417
-
memory/572-70-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/572-67-0x0000000000000000-mapping.dmp
-
memory/748-75-0x000000000040952E-mapping.dmp
-
memory/748-81-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/956-79-0x0000000000000000-mapping.dmp
-
memory/956-80-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1576-61-0x0000000000490000-0x0000000000493000-memory.dmpFilesize
12KB
-
memory/1576-59-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1780-63-0x000000000040952E-mapping.dmp
-
memory/1780-62-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1780-64-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB