Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-06-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe
Resource
win7v20210410
General
-
Target
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe
-
Size
2.8MB
-
MD5
1aed5d95ffc86126b79a9fe69f3f8af4
-
SHA1
de35454b27c455326a5b4974830d32f70058a839
-
SHA256
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0
-
SHA512
33274d75ae2b56cd403fddf5007a2df2d29f0dd93e043b43bcd292ca370c0b05544dc1c8033279c769fa48fcc8631261cfc5da6f3bc9250dc6b1eea7ddfc2522
Malware Config
Extracted
njrat
Carbonblack2102
batvoi
1368.vnh.wtf:5552
0de45b5c6627a3e65a4b2a1e68ec841b
-
reg_key
0de45b5c6627a3e65a4b2a1e68ec841b
-
splitter
|'|'|
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1820-149-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/1820-150-0x000000000041CEE8-mapping.dmp family_taurus_stealer behavioral2/memory/1820-151-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Executes dropped EXE 4 IoCs
Processes:
MRGO.EXEWMI PERFORMANCE REVERSE ADAPTER.EXEWMI PERFORMANCE REVERSE ADPIRE.EXEWMI Performance Reverse Adapters.exepid process 3676 MRGO.EXE 3600 WMI PERFORMANCE REVERSE ADAPTER.EXE 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE 2208 WMI Performance Reverse Adapters.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MRGO.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MRGO.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MRGO.EXE -
Drops startup file 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 2468 set thread context of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEWMI Performance Reverse Adapters.exedescription pid process Token: SeDebugPrivilege 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE Token: SeDebugPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe Token: 33 2208 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2208 WMI Performance Reverse Adapters.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exeWMI PERFORMANCE REVERSE ADAPTER.EXEWMI Performance Reverse Adapters.exeWMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 852 wrote to memory of 3676 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe MRGO.EXE PID 852 wrote to memory of 3676 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe MRGO.EXE PID 852 wrote to memory of 3600 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 852 wrote to memory of 3600 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 852 wrote to memory of 3600 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 852 wrote to memory of 2468 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 852 wrote to memory of 2468 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 852 wrote to memory of 2468 852 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 3600 wrote to memory of 2208 3600 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 3600 wrote to memory of 2208 3600 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 3600 wrote to memory of 2208 3600 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 2208 wrote to memory of 3280 2208 WMI Performance Reverse Adapters.exe netsh.exe PID 2208 wrote to memory of 3280 2208 WMI Performance Reverse Adapters.exe netsh.exe PID 2208 wrote to memory of 3280 2208 WMI Performance Reverse Adapters.exe netsh.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 2468 wrote to memory of 1820 2468 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe"C:\Users\Admin\AppData\Local\Temp\0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\MRGO.EXE"C:\Users\Admin\AppData\Local\Temp\MRGO.EXE"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe" "WMI Performance Reverse Adapters.exe" ENABLE4⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
MD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7