Analysis
-
max time kernel
153s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-09-2021 17:04
Static task
static1
Behavioral task
behavioral1
Sample
DE3D6958F101E3B252F18168F240480D.exe
Resource
win7v20210408
General
-
Target
DE3D6958F101E3B252F18168F240480D.exe
-
Size
819KB
-
MD5
de3d6958f101e3b252f18168f240480d
-
SHA1
4a2ff6b9018df0b31db61ce4f5a6d844c05dc3ce
-
SHA256
1e73294675f42df94d101ece8c550fcfa2746ae6f8bf3261e16d315c5d8de832
-
SHA512
ca26091630e7509e79b386cbc1024446d51bc1ff0763b14aa1e8d03b0ec815d2484beccc905d1694db87a5b1dc8a8e95971c25dd5cd51abe9cbd000aea13f1f7
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
alice2019.myftp.biz:5552
28ac71370f2e4
-
reg_key
28ac71370f2e4
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xwobhs.pifRegSvcs.exepid process 1428 xwobhs.pif 1052 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
DE3D6958F101E3B252F18168F240480D.exexwobhs.pifpid process 784 DE3D6958F101E3B252F18168F240480D.exe 784 DE3D6958F101E3B252F18168F240480D.exe 784 DE3D6958F101E3B252F18168F240480D.exe 784 DE3D6958F101E3B252F18168F240480D.exe 1428 xwobhs.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
xwobhs.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run xwobhs.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\52830064\\xwobhs.pif c:\\52830064\\AQKWBT~1.IKB" xwobhs.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xwobhs.pifdescription pid process target process PID 1428 set thread context of 1052 1428 xwobhs.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
xwobhs.pifRegSvcs.exepid process 1428 xwobhs.pif 1052 RegSvcs.exe 1052 RegSvcs.exe 1052 RegSvcs.exe 1052 RegSvcs.exe 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif 1428 xwobhs.pif -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe Token: 33 1052 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1052 RegSvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DE3D6958F101E3B252F18168F240480D.exexwobhs.pifdescription pid process target process PID 784 wrote to memory of 1428 784 DE3D6958F101E3B252F18168F240480D.exe xwobhs.pif PID 784 wrote to memory of 1428 784 DE3D6958F101E3B252F18168F240480D.exe xwobhs.pif PID 784 wrote to memory of 1428 784 DE3D6958F101E3B252F18168F240480D.exe xwobhs.pif PID 784 wrote to memory of 1428 784 DE3D6958F101E3B252F18168F240480D.exe xwobhs.pif PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe PID 1428 wrote to memory of 1052 1428 xwobhs.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DE3D6958F101E3B252F18168F240480D.exe"C:\Users\Admin\AppData\Local\Temp\DE3D6958F101E3B252F18168F240480D.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\52830064\xwobhs.pif"C:\52830064\xwobhs.pif" aqkwbthvr.ikb2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\52830064\aqkwbthvr.ikbMD5
1f4c7f94e81f5676cac726fa32a4267b
SHA1916104ff346ab10620f0926c241cf248d4b25b90
SHA256cc535eaa9283d61eda11015e006ae054ccd331a70ad96baeccad61f22efa624b
SHA512006f7ae411969c304b492e733cfcee22de4aca0d07873a95cbb0195f3d322697acd20e3c4c53e67f2db8388ed6b089b634e5bbdd3406619b0ec40ad77ca93841
-
C:\52830064\brvhbiro.binMD5
34dc4be1960b4ac6aaff64726d0af2ec
SHA11fdf27bacfb1b6134c4c08773374485855ece15b
SHA2562f2ac6f0e36134f2166e0232b64637dc7f2e33812d38e577f8c944b3f87edcda
SHA5122d441101e828a9766be8df35ae923c0a16fa2b690b40bef6f0a27a22b2061bf53571aa09e35fc93af3e2e2df214f14dac7e73b14e86c59b9dfd1e0cb642e5eff
-
C:\52830064\xwobhs.pifMD5
957fcff5374f7a5ee128d32c976adaa5
SHA172a4cc77337d22b5c23335538c62bea7ed9cbb93
SHA256699534a988a6aa7c8c5ff4eb01ac28292be257b0312e6d7351fb4cacaa4124d5
SHA512e9dc65fbb964cb64cfcbb1c9b5c53595b0f0304a7179710ddac5aefa2f0f40bb67271b7aeb39654254c2fe68fcd62b77a94674b8e9c3a57ad3497197ede87ca9
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\52830064\xwobhs.pifMD5
957fcff5374f7a5ee128d32c976adaa5
SHA172a4cc77337d22b5c23335538c62bea7ed9cbb93
SHA256699534a988a6aa7c8c5ff4eb01ac28292be257b0312e6d7351fb4cacaa4124d5
SHA512e9dc65fbb964cb64cfcbb1c9b5c53595b0f0304a7179710ddac5aefa2f0f40bb67271b7aeb39654254c2fe68fcd62b77a94674b8e9c3a57ad3497197ede87ca9
-
\52830064\xwobhs.pifMD5
957fcff5374f7a5ee128d32c976adaa5
SHA172a4cc77337d22b5c23335538c62bea7ed9cbb93
SHA256699534a988a6aa7c8c5ff4eb01ac28292be257b0312e6d7351fb4cacaa4124d5
SHA512e9dc65fbb964cb64cfcbb1c9b5c53595b0f0304a7179710ddac5aefa2f0f40bb67271b7aeb39654254c2fe68fcd62b77a94674b8e9c3a57ad3497197ede87ca9
-
\52830064\xwobhs.pifMD5
957fcff5374f7a5ee128d32c976adaa5
SHA172a4cc77337d22b5c23335538c62bea7ed9cbb93
SHA256699534a988a6aa7c8c5ff4eb01ac28292be257b0312e6d7351fb4cacaa4124d5
SHA512e9dc65fbb964cb64cfcbb1c9b5c53595b0f0304a7179710ddac5aefa2f0f40bb67271b7aeb39654254c2fe68fcd62b77a94674b8e9c3a57ad3497197ede87ca9
-
\52830064\xwobhs.pifMD5
957fcff5374f7a5ee128d32c976adaa5
SHA172a4cc77337d22b5c23335538c62bea7ed9cbb93
SHA256699534a988a6aa7c8c5ff4eb01ac28292be257b0312e6d7351fb4cacaa4124d5
SHA512e9dc65fbb964cb64cfcbb1c9b5c53595b0f0304a7179710ddac5aefa2f0f40bb67271b7aeb39654254c2fe68fcd62b77a94674b8e9c3a57ad3497197ede87ca9
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/784-60-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB
-
memory/1052-72-0x00000000003E676E-mapping.dmp
-
memory/1052-71-0x00000000003E0000-0x00000000008F4000-memory.dmpFilesize
5.1MB
-
memory/1052-75-0x00000000003E0000-0x00000000008F4000-memory.dmpFilesize
5.1MB
-
memory/1052-77-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1428-65-0x0000000000000000-mapping.dmp