Analysis
-
max time kernel
166s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:16
Behavioral task
behavioral1
Sample
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe
Resource
win10v2004-20220414-en
General
-
Target
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe
-
Size
31KB
-
MD5
62c337ee155d4fa14aa8167dc0bdea39
-
SHA1
78c8ef2e1d7940774d79784b3b2806f440d2a122
-
SHA256
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
-
SHA512
57646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
Malware Config
Extracted
njrat
0.7d
MyBot
ggwp90wp.hopto.org:80
b911e107642d6002d2b783984c2e57a9
-
reg_key
b911e107642d6002d2b783984c2e57a9
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1752 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b911e107642d6002d2b783984c2e57a9.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b911e107642d6002d2b783984c2e57a9.exe WindowsServices.exe -
Loads dropped DLL 1 IoCs
Processes:
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exepid process 1892 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\b911e107642d6002d2b783984c2e57a9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b911e107642d6002d2b783984c2e57a9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exeWindowsServices.exedescription pid process target process PID 1892 wrote to memory of 1752 1892 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 1892 wrote to memory of 1752 1892 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 1892 wrote to memory of 1752 1892 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 1892 wrote to memory of 1752 1892 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 1752 wrote to memory of 1060 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1060 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1060 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1060 1752 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe"C:\Users\Admin\AppData\Local\Temp\af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD562c337ee155d4fa14aa8167dc0bdea39
SHA178c8ef2e1d7940774d79784b3b2806f440d2a122
SHA256af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
SHA51257646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD562c337ee155d4fa14aa8167dc0bdea39
SHA178c8ef2e1d7940774d79784b3b2806f440d2a122
SHA256af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
SHA51257646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
-
\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD562c337ee155d4fa14aa8167dc0bdea39
SHA178c8ef2e1d7940774d79784b3b2806f440d2a122
SHA256af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
SHA51257646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
-
memory/1060-62-0x0000000000000000-mapping.dmp
-
memory/1752-57-0x0000000000000000-mapping.dmp
-
memory/1752-61-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB
-
memory/1892-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1892-55-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB