Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 20:47
Behavioral task
behavioral1
Sample
c1865a6ccc50d10ec91518c9861ed005.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
c1865a6ccc50d10ec91518c9861ed005.exe
Resource
win10v20210408
General
-
Target
c1865a6ccc50d10ec91518c9861ed005.exe
-
Size
31KB
-
MD5
c1865a6ccc50d10ec91518c9861ed005
-
SHA1
493bf878ddc94d4a49c5d76243b083cb3d4c6a89
-
SHA256
5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c
-
SHA512
d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a
Malware Config
Extracted
njrat
0.7d
MyBot
178.20.44.131:6522
949d1d181b4442e0ea82dab5035cb1d3
-
reg_key
949d1d181b4442e0ea82dab5035cb1d3
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1576 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\949d1d181b4442e0ea82dab5035cb1d3.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\949d1d181b4442e0ea82dab5035cb1d3.exe WindowsServices.exe -
Loads dropped DLL 1 IoCs
Processes:
c1865a6ccc50d10ec91518c9861ed005.exepid process 1132 c1865a6ccc50d10ec91518c9861ed005.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\949d1d181b4442e0ea82dab5035cb1d3 = "\"C:\\ProgramData\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\949d1d181b4442e0ea82dab5035cb1d3 = "\"C:\\ProgramData\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe Token: 33 1576 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1576 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exedescription pid process target process PID 1132 wrote to memory of 1576 1132 c1865a6ccc50d10ec91518c9861ed005.exe WindowsServices.exe PID 1132 wrote to memory of 1576 1132 c1865a6ccc50d10ec91518c9861ed005.exe WindowsServices.exe PID 1132 wrote to memory of 1576 1132 c1865a6ccc50d10ec91518c9861ed005.exe WindowsServices.exe PID 1132 wrote to memory of 1576 1132 c1865a6ccc50d10ec91518c9861ed005.exe WindowsServices.exe PID 1576 wrote to memory of 1720 1576 WindowsServices.exe netsh.exe PID 1576 wrote to memory of 1720 1576 WindowsServices.exe netsh.exe PID 1576 wrote to memory of 1720 1576 WindowsServices.exe netsh.exe PID 1576 wrote to memory of 1720 1576 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1865a6ccc50d10ec91518c9861ed005.exe"C:\Users\Admin\AppData\Local\Temp\c1865a6ccc50d10ec91518c9861ed005.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WindowsServices.exe"C:\ProgramData\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WindowsServices.exeMD5
c1865a6ccc50d10ec91518c9861ed005
SHA1493bf878ddc94d4a49c5d76243b083cb3d4c6a89
SHA2565d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c
SHA512d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a
-
C:\ProgramData\WindowsServices.exeMD5
c1865a6ccc50d10ec91518c9861ed005
SHA1493bf878ddc94d4a49c5d76243b083cb3d4c6a89
SHA2565d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c
SHA512d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a
-
\ProgramData\WindowsServices.exeMD5
c1865a6ccc50d10ec91518c9861ed005
SHA1493bf878ddc94d4a49c5d76243b083cb3d4c6a89
SHA2565d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c
SHA512d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a
-
memory/1132-53-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1132-54-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/1576-56-0x0000000000000000-mapping.dmp
-
memory/1576-60-0x0000000002170000-0x0000000002171000-memory.dmpFilesize
4KB
-
memory/1576-63-0x0000000002171000-0x0000000002172000-memory.dmpFilesize
4KB
-
memory/1720-61-0x0000000000000000-mapping.dmp