Analysis
-
max time kernel
158s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:16
Behavioral task
behavioral1
Sample
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe
Resource
win10v2004-20220414-en
General
-
Target
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe
-
Size
31KB
-
MD5
62c337ee155d4fa14aa8167dc0bdea39
-
SHA1
78c8ef2e1d7940774d79784b3b2806f440d2a122
-
SHA256
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
-
SHA512
57646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
Malware Config
Extracted
njrat
0.7d
MyBot
ggwp90wp.hopto.org:80
b911e107642d6002d2b783984c2e57a9
-
reg_key
b911e107642d6002d2b783984c2e57a9
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1052 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe -
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b911e107642d6002d2b783984c2e57a9.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b911e107642d6002d2b783984c2e57a9.exe WindowsServices.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b911e107642d6002d2b783984c2e57a9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b911e107642d6002d2b783984c2e57a9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe Token: 33 1052 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1052 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exeWindowsServices.exedescription pid process target process PID 3572 wrote to memory of 1052 3572 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 3572 wrote to memory of 1052 3572 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 3572 wrote to memory of 1052 3572 af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe WindowsServices.exe PID 1052 wrote to memory of 1476 1052 WindowsServices.exe netsh.exe PID 1052 wrote to memory of 1476 1052 WindowsServices.exe netsh.exe PID 1052 wrote to memory of 1476 1052 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe"C:\Users\Admin\AppData\Local\Temp\af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD562c337ee155d4fa14aa8167dc0bdea39
SHA178c8ef2e1d7940774d79784b3b2806f440d2a122
SHA256af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
SHA51257646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD562c337ee155d4fa14aa8167dc0bdea39
SHA178c8ef2e1d7940774d79784b3b2806f440d2a122
SHA256af6b174b10f33702e21eb411d5fc31292efed525cd890272fc2106d369e0dbc3
SHA51257646c960ff8b3695096229438556aa0b1227d85319e940f0c6a592fa3209ffc8feaed8bad5fc44421af052e607175b16a07b1a9248f09582cb22046d9fa3afe
-
memory/1052-131-0x0000000000000000-mapping.dmp
-
memory/1052-134-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/1476-135-0x0000000000000000-mapping.dmp
-
memory/3572-130-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB