Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
23-10-2021 23:36
Behavioral task
behavioral1
Sample
58d96f9f4e0484a57bc7c0fcb05a9595.exe
Resource
win7-en-20211014
General
-
Target
58d96f9f4e0484a57bc7c0fcb05a9595.exe
-
Size
31KB
-
MD5
58d96f9f4e0484a57bc7c0fcb05a9595
-
SHA1
3a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
-
SHA256
46ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
-
SHA512
01429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
Malware Config
Extracted
njrat
0.7d
Dat
0.tcp.ngrok.io:10196
4b6d4526ce130b5f80f1795d2c2b3aa9
-
reg_key
4b6d4526ce130b5f80f1795d2c2b3aa9
-
splitter
Y262SUCZ4UJJ
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1080 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b6d4526ce130b5f80f1795d2c2b3aa9.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b6d4526ce130b5f80f1795d2c2b3aa9.exe WindowsServices.exe -
Loads dropped DLL 1 IoCs
Processes:
58d96f9f4e0484a57bc7c0fcb05a9595.exepid process 1900 58d96f9f4e0484a57bc7c0fcb05a9595.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b6d4526ce130b5f80f1795d2c2b3aa9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4b6d4526ce130b5f80f1795d2c2b3aa9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe Token: 33 1080 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1080 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
58d96f9f4e0484a57bc7c0fcb05a9595.exeWindowsServices.exedescription pid process target process PID 1900 wrote to memory of 1080 1900 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 1900 wrote to memory of 1080 1900 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 1900 wrote to memory of 1080 1900 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 1900 wrote to memory of 1080 1900 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 1080 wrote to memory of 620 1080 WindowsServices.exe netsh.exe PID 1080 wrote to memory of 620 1080 WindowsServices.exe netsh.exe PID 1080 wrote to memory of 620 1080 WindowsServices.exe netsh.exe PID 1080 wrote to memory of 620 1080 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58d96f9f4e0484a57bc7c0fcb05a9595.exe"C:\Users\Admin\AppData\Local\Temp\58d96f9f4e0484a57bc7c0fcb05a9595.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
58d96f9f4e0484a57bc7c0fcb05a9595
SHA13a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
SHA25646ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
SHA51201429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
58d96f9f4e0484a57bc7c0fcb05a9595
SHA13a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
SHA25646ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
SHA51201429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
-
\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
58d96f9f4e0484a57bc7c0fcb05a9595
SHA13a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
SHA25646ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
SHA51201429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
-
memory/620-63-0x0000000000000000-mapping.dmp
-
memory/1080-58-0x0000000000000000-mapping.dmp
-
memory/1080-62-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1900-55-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1900-56-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB