Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-09-2021 06:46
Behavioral task
behavioral1
Sample
f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe
Resource
win10v20210408
General
-
Target
f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe
-
Size
37KB
-
MD5
dcf9cc3c393993cf2d0b1d3b9e20b294
-
SHA1
6e2a4e39c7ddfb02a54c91a7c20f7c42ed99dd23
-
SHA256
f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204
-
SHA512
fb728fb9cccae33b23ce5d3c9370d5e8af1968e920b3433b70498e47f20487960ef76e8a40aac52709b14d691e5aa3bbb4aa8d647df1af2986e065ad94cb7a73
Malware Config
Extracted
njrat
im523
Neonyng
185.204.1.237:8503
edf318264ac7ee8c6a8db0b60a665c11
-
reg_key
edf318264ac7ee8c6a8db0b60a665c11
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wmn.exepid process 2308 wmn.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
wmn.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edf318264ac7ee8c6a8db0b60a665c11.exe wmn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edf318264ac7ee8c6a8db0b60a665c11.exe wmn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wmn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\edf318264ac7ee8c6a8db0b60a665c11 = "\"C:\\Windows\\wmn.exe\" .." wmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edf318264ac7ee8c6a8db0b60a665c11 = "\"C:\\Windows\\wmn.exe\" .." wmn.exe -
Drops file in Windows directory 3 IoCs
Processes:
f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exewmn.exedescription ioc process File created C:\Windows\wmn.exe f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe File opened for modification C:\Windows\wmn.exe f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe File opened for modification C:\Windows\wmn.exe wmn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
wmn.exedescription pid process Token: SeDebugPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe Token: 33 2308 wmn.exe Token: SeIncBasePriorityPrivilege 2308 wmn.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exewmn.exedescription pid process target process PID 784 wrote to memory of 2308 784 f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe wmn.exe PID 784 wrote to memory of 2308 784 f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe wmn.exe PID 784 wrote to memory of 2308 784 f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe wmn.exe PID 2308 wrote to memory of 3940 2308 wmn.exe netsh.exe PID 2308 wrote to memory of 3940 2308 wmn.exe netsh.exe PID 2308 wrote to memory of 3940 2308 wmn.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe"C:\Users\Admin\AppData\Local\Temp\f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\wmn.exe"C:\Windows\wmn.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\wmn.exe" "wmn.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\wmn.exeMD5
dcf9cc3c393993cf2d0b1d3b9e20b294
SHA16e2a4e39c7ddfb02a54c91a7c20f7c42ed99dd23
SHA256f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204
SHA512fb728fb9cccae33b23ce5d3c9370d5e8af1968e920b3433b70498e47f20487960ef76e8a40aac52709b14d691e5aa3bbb4aa8d647df1af2986e065ad94cb7a73
-
C:\Windows\wmn.exeMD5
dcf9cc3c393993cf2d0b1d3b9e20b294
SHA16e2a4e39c7ddfb02a54c91a7c20f7c42ed99dd23
SHA256f123f3e05c72e402350046fd0f67e3820726b2cfa3f786dd38f6cac9c5841204
SHA512fb728fb9cccae33b23ce5d3c9370d5e8af1968e920b3433b70498e47f20487960ef76e8a40aac52709b14d691e5aa3bbb4aa8d647df1af2986e065ad94cb7a73
-
memory/784-114-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/2308-115-0x0000000000000000-mapping.dmp
-
memory/2308-118-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/3940-119-0x0000000000000000-mapping.dmp