Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-04-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
D0A927970E230756281222C063F1A06B4637623794A26.exe
Resource
win7-20220414-en
General
-
Target
D0A927970E230756281222C063F1A06B4637623794A26.exe
-
Size
10.5MB
-
MD5
9e63a0aa4f26539beeccb7180568fc4e
-
SHA1
649f49bfa20647858a8073a9416648b76773cfc5
-
SHA256
d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f
-
SHA512
a3acd7ec1400ccc482239440450ef8df6719dd29ce6290b9f47764030a4e5b47ceb97ce74c71bb156409848e85ceaa38069d2d4113f4043883ae0a28053a546b
Malware Config
Extracted
njrat
0.7d
SoryMan
us-west-11608.packetriot.net:22794
9dc6936092ebce7762ab0f2981bc4ba4
-
reg_key
9dc6936092ebce7762ab0f2981bc4ba4
-
splitter
@!#&^%$
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1336-130-0x0000000000500000-0x0000000000F8E000-memory.dmp disable_win_def C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe disable_win_def behavioral2/memory/1592-137-0x0000000000470000-0x0000000000478000-memory.dmp disable_win_def -
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 2 4972 WScript.exe 4 4972 WScript.exe 6 4972 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
TiktokSpammerTool.exeWindowsFormsApp4.exesvchosted32.exesvchost.exepid process 1592 TiktokSpammerTool.exe 3004 WindowsFormsApp4.exe 2668 svchosted32.exe 1412 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exesvchosted32.exeD0A927970E230756281222C063F1A06B4637623794A26.exeWindowsFormsApp4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation svchosted32.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation D0A927970E230756281222C063F1A06B4637623794A26.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WindowsFormsApp4.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9dc6936092ebce7762ab0f2981bc4ba4.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9dc6936092ebce7762ab0f2981bc4ba4.exe svchost.exe -
Processes:
TiktokSpammerTool.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" TiktokSpammerTool.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9dc6936092ebce7762ab0f2981bc4ba4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9dc6936092ebce7762ab0f2981bc4ba4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
WindowsFormsApp4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings WindowsFormsApp4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4840 powershell.exe 4840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
powershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 4840 powershell.exe Token: SeDebugPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe Token: 33 1412 svchost.exe Token: SeIncBasePriorityPrivilege 1412 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
D0A927970E230756281222C063F1A06B4637623794A26.exepid process 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
D0A927970E230756281222C063F1A06B4637623794A26.exeTiktokSpammerTool.exeWindowsFormsApp4.exeWScript.exesvchosted32.exesvchost.exedescription pid process target process PID 1336 wrote to memory of 1592 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe TiktokSpammerTool.exe PID 1336 wrote to memory of 1592 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe TiktokSpammerTool.exe PID 1592 wrote to memory of 4840 1592 TiktokSpammerTool.exe powershell.exe PID 1592 wrote to memory of 4840 1592 TiktokSpammerTool.exe powershell.exe PID 1336 wrote to memory of 3004 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe WindowsFormsApp4.exe PID 1336 wrote to memory of 3004 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe WindowsFormsApp4.exe PID 1336 wrote to memory of 3004 1336 D0A927970E230756281222C063F1A06B4637623794A26.exe WindowsFormsApp4.exe PID 3004 wrote to memory of 4972 3004 WindowsFormsApp4.exe WScript.exe PID 3004 wrote to memory of 4972 3004 WindowsFormsApp4.exe WScript.exe PID 3004 wrote to memory of 4972 3004 WindowsFormsApp4.exe WScript.exe PID 4972 wrote to memory of 2668 4972 WScript.exe svchosted32.exe PID 4972 wrote to memory of 2668 4972 WScript.exe svchosted32.exe PID 4972 wrote to memory of 2668 4972 WScript.exe svchosted32.exe PID 2668 wrote to memory of 1412 2668 svchosted32.exe svchost.exe PID 2668 wrote to memory of 1412 2668 svchosted32.exe svchost.exe PID 2668 wrote to memory of 1412 2668 svchosted32.exe svchost.exe PID 1412 wrote to memory of 4964 1412 svchost.exe netsh.exe PID 1412 wrote to memory of 4964 1412 svchost.exe netsh.exe PID 1412 wrote to memory of 4964 1412 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D0A927970E230756281222C063F1A06B4637623794A26.exe"C:\Users\Admin\AppData\Local\Temp\D0A927970E230756281222C063F1A06B4637623794A26.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe"C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TiktokSpam.js"3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchosted32.exe"C:\Users\Admin\AppData\Local\Temp\svchosted32.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TiktokSpam.jsFilesize
778B
MD5db484f181ba5b3d4b3ab651428501009
SHA1407e2f2525f8be6da321a4f3915ab83627fc8ef5
SHA25659a5f971895e0e23251c91d0d9e7830c4e0f553607c7e2b72502dc66d97bc0b7
SHA512849dbc4850ec45b350171b6a9dd961b6d02bef3d9294f79b02aaea45815e5b170001a0656a43e0e12ff9b02f01f3f57f3d6f20f23218a6aa5b30e404294f9f9e
-
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exeFilesize
12KB
MD564a7e0429947daec5c28503be3d0d7ac
SHA1c86c62a7f49ccb499af8eebf22950fc54dcb9bdd
SHA2566fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772
SHA51274c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6
-
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exeFilesize
12KB
MD564a7e0429947daec5c28503be3d0d7ac
SHA1c86c62a7f49ccb499af8eebf22950fc54dcb9bdd
SHA2566fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772
SHA51274c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6
-
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exeFilesize
15KB
MD55046a2ac28aa9c84e62eb49c7581028e
SHA1f1966bab316f3c5d5675c46bd2d8fc82cb05390e
SHA25677204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2
SHA512913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39
-
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exeFilesize
15KB
MD55046a2ac28aa9c84e62eb49c7581028e
SHA1f1966bab316f3c5d5675c46bd2d8fc82cb05390e
SHA25677204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2
SHA512913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
23KB
MD5418c9939f93a41b2a91402a767ddf5ca
SHA1284f5611c1dc4fe764cfc16303ddea7bec8d3f56
SHA256fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a
SHA51203b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
23KB
MD5418c9939f93a41b2a91402a767ddf5ca
SHA1284f5611c1dc4fe764cfc16303ddea7bec8d3f56
SHA256fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a
SHA51203b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c
-
C:\Users\Admin\AppData\Local\Temp\svchosted32.exeFilesize
23KB
MD5418c9939f93a41b2a91402a767ddf5ca
SHA1284f5611c1dc4fe764cfc16303ddea7bec8d3f56
SHA256fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a
SHA51203b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c
-
C:\Users\Admin\AppData\Local\Temp\svchosted32.exeFilesize
23KB
MD5418c9939f93a41b2a91402a767ddf5ca
SHA1284f5611c1dc4fe764cfc16303ddea7bec8d3f56
SHA256fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a
SHA51203b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c
-
memory/1336-130-0x0000000000500000-0x0000000000F8E000-memory.dmpFilesize
10.6MB
-
memory/1336-133-0x0000000005920000-0x000000000592A000-memory.dmpFilesize
40KB
-
memory/1336-132-0x0000000005970000-0x0000000005A02000-memory.dmpFilesize
584KB
-
memory/1336-148-0x0000000005970000-0x0000000005F14000-memory.dmpFilesize
5.6MB
-
memory/1336-131-0x0000000005F20000-0x00000000064C4000-memory.dmpFilesize
5.6MB
-
memory/1412-156-0x0000000000000000-mapping.dmp
-
memory/1412-159-0x000000006C4D0000-0x000000006CA81000-memory.dmpFilesize
5.7MB
-
memory/1592-137-0x0000000000470000-0x0000000000478000-memory.dmpFilesize
32KB
-
memory/1592-134-0x0000000000000000-mapping.dmp
-
memory/1592-140-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmpFilesize
10.8MB
-
memory/2668-155-0x000000006C4D0000-0x000000006CA81000-memory.dmpFilesize
5.7MB
-
memory/2668-152-0x0000000000000000-mapping.dmp
-
memory/3004-145-0x0000000000000000-mapping.dmp
-
memory/3004-149-0x0000000000CF0000-0x0000000000CFA000-memory.dmpFilesize
40KB
-
memory/4840-142-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmpFilesize
10.8MB
-
memory/4840-141-0x000001E1632A6000-0x000001E1632A8000-memory.dmpFilesize
8KB
-
memory/4840-143-0x000001E1632A0000-0x000001E1632A2000-memory.dmpFilesize
8KB
-
memory/4840-139-0x000001E17C0F0000-0x000001E17C112000-memory.dmpFilesize
136KB
-
memory/4840-138-0x0000000000000000-mapping.dmp
-
memory/4840-144-0x000001E1632A3000-0x000001E1632A5000-memory.dmpFilesize
8KB
-
memory/4964-160-0x0000000000000000-mapping.dmp
-
memory/4972-150-0x0000000000000000-mapping.dmp