Analysis
-
max time kernel
156s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
06-09-2021 06:47
Behavioral task
behavioral1
Sample
2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe
Resource
win10-en
General
-
Target
2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe
-
Size
31KB
-
MD5
dca3d389c748b3179e27046a701b16da
-
SHA1
b1f1c573150587c88056b9419f5c0b68d8b0cc87
-
SHA256
2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d
-
SHA512
adfda3804e8ac6f4763319c0e60fd225b83403607852b8fd67ad0efad85242a57cd6ac7d316eabd54d1ffe77d81bb9939e0fd00a7ca820c056a640980fb74c79
Malware Config
Extracted
njrat
0.7d
My_Bot
127.0.0.1:6522
eff3440316873cdbbc13673c2756d635
-
reg_key
eff3440316873cdbbc13673c2756d635
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1776 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eff3440316873cdbbc13673c2756d635.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eff3440316873cdbbc13673c2756d635.exe WindowsServices.exe -
Loads dropped DLL 1 IoCs
Processes:
2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exepid process 2024 2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\eff3440316873cdbbc13673c2756d635 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eff3440316873cdbbc13673c2756d635 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe Token: 33 1776 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1776 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exeWindowsServices.exedescription pid process target process PID 2024 wrote to memory of 1776 2024 2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe WindowsServices.exe PID 2024 wrote to memory of 1776 2024 2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe WindowsServices.exe PID 2024 wrote to memory of 1776 2024 2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe WindowsServices.exe PID 2024 wrote to memory of 1776 2024 2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe WindowsServices.exe PID 1776 wrote to memory of 524 1776 WindowsServices.exe netsh.exe PID 1776 wrote to memory of 524 1776 WindowsServices.exe netsh.exe PID 1776 wrote to memory of 524 1776 WindowsServices.exe netsh.exe PID 1776 wrote to memory of 524 1776 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe"C:\Users\Admin\AppData\Local\Temp\2fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
dca3d389c748b3179e27046a701b16da
SHA1b1f1c573150587c88056b9419f5c0b68d8b0cc87
SHA2562fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d
SHA512adfda3804e8ac6f4763319c0e60fd225b83403607852b8fd67ad0efad85242a57cd6ac7d316eabd54d1ffe77d81bb9939e0fd00a7ca820c056a640980fb74c79
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
dca3d389c748b3179e27046a701b16da
SHA1b1f1c573150587c88056b9419f5c0b68d8b0cc87
SHA2562fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d
SHA512adfda3804e8ac6f4763319c0e60fd225b83403607852b8fd67ad0efad85242a57cd6ac7d316eabd54d1ffe77d81bb9939e0fd00a7ca820c056a640980fb74c79
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeMD5
dca3d389c748b3179e27046a701b16da
SHA1b1f1c573150587c88056b9419f5c0b68d8b0cc87
SHA2562fbd4c61e4613e425bb8dd46736f0bb521a237f6491610c5a39287818f88e41d
SHA512adfda3804e8ac6f4763319c0e60fd225b83403607852b8fd67ad0efad85242a57cd6ac7d316eabd54d1ffe77d81bb9939e0fd00a7ca820c056a640980fb74c79
-
memory/524-61-0x0000000000000000-mapping.dmp
-
memory/1776-56-0x0000000000000000-mapping.dmp
-
memory/1776-60-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/2024-53-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/2024-54-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB