Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-01-2022 08:26
Behavioral task
behavioral1
Sample
cfca60135ace947b42f62ac66f22c512.exe
Resource
win7-en-20211208
General
-
Target
cfca60135ace947b42f62ac66f22c512.exe
-
Size
31KB
-
MD5
cfca60135ace947b42f62ac66f22c512
-
SHA1
89d5914fa02ed618d4eb4fe4d6a8a601b41ec42b
-
SHA256
d26cea6912e11e87d9fa8782f69b01d38c4e8d40c9548341629b8281f9aa2ab0
-
SHA512
9a78a102b2c322ea92034d544357ba0abf0c281959f8af19d7c963e1056e13e10b37112bfac0f9043c631b92b65c6d9595685e7af981892f451dd55b86e257e5
Malware Config
Extracted
njrat
0.7d
MyBot
0.tcp.ngrok.io:18994
9b8a3c55ddf9e26fc7191bb2a3876cd8
-
reg_key
9b8a3c55ddf9e26fc7191bb2a3876cd8
-
splitter
Y262SUCZ4UJJ
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 464 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9b8a3c55ddf9e26fc7191bb2a3876cd8.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9b8a3c55ddf9e26fc7191bb2a3876cd8.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cfca60135ace947b42f62ac66f22c512.exepid process 980 cfca60135ace947b42f62ac66f22c512.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b8a3c55ddf9e26fc7191bb2a3876cd8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9b8a3c55ddf9e26fc7191bb2a3876cd8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cfca60135ace947b42f62ac66f22c512.exepid process 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe 980 cfca60135ace947b42f62ac66f22c512.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
cfca60135ace947b42f62ac66f22c512.exesvchost.exedescription pid process Token: SeDebugPrivilege 980 cfca60135ace947b42f62ac66f22c512.exe Token: SeDebugPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe Token: 33 464 svchost.exe Token: SeIncBasePriorityPrivilege 464 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cfca60135ace947b42f62ac66f22c512.exesvchost.exedescription pid process target process PID 980 wrote to memory of 464 980 cfca60135ace947b42f62ac66f22c512.exe svchost.exe PID 980 wrote to memory of 464 980 cfca60135ace947b42f62ac66f22c512.exe svchost.exe PID 980 wrote to memory of 464 980 cfca60135ace947b42f62ac66f22c512.exe svchost.exe PID 980 wrote to memory of 464 980 cfca60135ace947b42f62ac66f22c512.exe svchost.exe PID 464 wrote to memory of 892 464 svchost.exe netsh.exe PID 464 wrote to memory of 892 464 svchost.exe netsh.exe PID 464 wrote to memory of 892 464 svchost.exe netsh.exe PID 464 wrote to memory of 892 464 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfca60135ace947b42f62ac66f22c512.exe"C:\Users\Admin\AppData\Local\Temp\cfca60135ace947b42f62ac66f22c512.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
cfca60135ace947b42f62ac66f22c512
SHA189d5914fa02ed618d4eb4fe4d6a8a601b41ec42b
SHA256d26cea6912e11e87d9fa8782f69b01d38c4e8d40c9548341629b8281f9aa2ab0
SHA5129a78a102b2c322ea92034d544357ba0abf0c281959f8af19d7c963e1056e13e10b37112bfac0f9043c631b92b65c6d9595685e7af981892f451dd55b86e257e5
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
cfca60135ace947b42f62ac66f22c512
SHA189d5914fa02ed618d4eb4fe4d6a8a601b41ec42b
SHA256d26cea6912e11e87d9fa8782f69b01d38c4e8d40c9548341629b8281f9aa2ab0
SHA5129a78a102b2c322ea92034d544357ba0abf0c281959f8af19d7c963e1056e13e10b37112bfac0f9043c631b92b65c6d9595685e7af981892f451dd55b86e257e5
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
cfca60135ace947b42f62ac66f22c512
SHA189d5914fa02ed618d4eb4fe4d6a8a601b41ec42b
SHA256d26cea6912e11e87d9fa8782f69b01d38c4e8d40c9548341629b8281f9aa2ab0
SHA5129a78a102b2c322ea92034d544357ba0abf0c281959f8af19d7c963e1056e13e10b37112bfac0f9043c631b92b65c6d9595685e7af981892f451dd55b86e257e5
-
memory/464-57-0x0000000000000000-mapping.dmp
-
memory/464-61-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/892-62-0x0000000000000000-mapping.dmp
-
memory/980-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB
-
memory/980-55-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB