Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-10-2021 23:36
Behavioral task
behavioral1
Sample
58d96f9f4e0484a57bc7c0fcb05a9595.exe
Resource
win7-en-20211014
General
-
Target
58d96f9f4e0484a57bc7c0fcb05a9595.exe
-
Size
31KB
-
MD5
58d96f9f4e0484a57bc7c0fcb05a9595
-
SHA1
3a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
-
SHA256
46ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
-
SHA512
01429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
Malware Config
Extracted
njrat
0.7d
Dat
0.tcp.ngrok.io:10196
4b6d4526ce130b5f80f1795d2c2b3aa9
-
reg_key
4b6d4526ce130b5f80f1795d2c2b3aa9
-
splitter
Y262SUCZ4UJJ
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 3968 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b6d4526ce130b5f80f1795d2c2b3aa9.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b6d4526ce130b5f80f1795d2c2b3aa9.exe WindowsServices.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4b6d4526ce130b5f80f1795d2c2b3aa9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b6d4526ce130b5f80f1795d2c2b3aa9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe Token: 33 3968 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3968 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
58d96f9f4e0484a57bc7c0fcb05a9595.exeWindowsServices.exedescription pid process target process PID 4252 wrote to memory of 3968 4252 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 4252 wrote to memory of 3968 4252 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 4252 wrote to memory of 3968 4252 58d96f9f4e0484a57bc7c0fcb05a9595.exe WindowsServices.exe PID 3968 wrote to memory of 3808 3968 WindowsServices.exe netsh.exe PID 3968 wrote to memory of 3808 3968 WindowsServices.exe netsh.exe PID 3968 wrote to memory of 3808 3968 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58d96f9f4e0484a57bc7c0fcb05a9595.exe"C:\Users\Admin\AppData\Local\Temp\58d96f9f4e0484a57bc7c0fcb05a9595.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
58d96f9f4e0484a57bc7c0fcb05a9595
SHA13a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
SHA25646ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
SHA51201429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
58d96f9f4e0484a57bc7c0fcb05a9595
SHA13a3028b6cf152f2c4d5872c0eb1948f2ddd152a1
SHA25646ed133f370ec9791d80415753e50a40c03c7aa69ae6b222bc2e278caef707b9
SHA51201429224deb24e805f29eadd2b0bc754db74dec85ba3c1627c4042ff731ec7c65608994c4831b9e6cef76f51f05cadbb910a9b2d9c459038a80b44dc6e935bb7
-
memory/3808-120-0x0000000000000000-mapping.dmp
-
memory/3968-116-0x0000000000000000-mapping.dmp
-
memory/3968-119-0x0000000001390000-0x0000000001391000-memory.dmpFilesize
4KB
-
memory/4252-115-0x0000000000E10000-0x0000000000F5A000-memory.dmpFilesize
1.3MB