Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:26
Behavioral task
behavioral1
Sample
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe
Resource
win10v2004-20220414-en
General
-
Target
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe
-
Size
103KB
-
MD5
2ca922461db539e6a01e4c4796e3c4f5
-
SHA1
63d475e2c98eea1d5852f8c07ed6a0d92acee220
-
SHA256
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
-
SHA512
5e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
Malware Config
Extracted
njrat
im523
Levkrasov
185.82.217.154:9591
b2470da48fd8c6569c0daa61a130d205
-
reg_key
b2470da48fd8c6569c0daa61a130d205
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 2044 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b2470da48fd8c6569c0daa61a130d205.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b2470da48fd8c6569c0daa61a130d205.exe WindowsServices.exe -
Loads dropped DLL 1 IoCs
Processes:
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exepid process 800 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\b2470da48fd8c6569c0daa61a130d205 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b2470da48fd8c6569c0daa61a130d205 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WindowsServices.exepid process 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe 2044 WindowsServices.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WindowsServices.exepid process 2044 WindowsServices.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe Token: 33 2044 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2044 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exeWindowsServices.exedescription pid process target process PID 800 wrote to memory of 2044 800 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 800 wrote to memory of 2044 800 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 800 wrote to memory of 2044 800 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 800 wrote to memory of 2044 800 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 2044 wrote to memory of 1940 2044 WindowsServices.exe netsh.exe PID 2044 wrote to memory of 1940 2044 WindowsServices.exe netsh.exe PID 2044 wrote to memory of 1940 2044 WindowsServices.exe netsh.exe PID 2044 wrote to memory of 1940 2044 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe"C:\Users\Admin\AppData\Local\Temp\f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
103KB
MD52ca922461db539e6a01e4c4796e3c4f5
SHA163d475e2c98eea1d5852f8c07ed6a0d92acee220
SHA256f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
SHA5125e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
103KB
MD52ca922461db539e6a01e4c4796e3c4f5
SHA163d475e2c98eea1d5852f8c07ed6a0d92acee220
SHA256f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
SHA5125e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
-
\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
103KB
MD52ca922461db539e6a01e4c4796e3c4f5
SHA163d475e2c98eea1d5852f8c07ed6a0d92acee220
SHA256f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
SHA5125e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
-
memory/800-54-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/800-55-0x0000000074BD0000-0x000000007517B000-memory.dmpFilesize
5.7MB
-
memory/1940-62-0x0000000000000000-mapping.dmp
-
memory/2044-57-0x0000000000000000-mapping.dmp
-
memory/2044-61-0x0000000074BD0000-0x000000007517B000-memory.dmpFilesize
5.7MB