Analysis
-
max time kernel
165s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:26
Behavioral task
behavioral1
Sample
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe
Resource
win10v2004-20220414-en
General
-
Target
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe
-
Size
103KB
-
MD5
2ca922461db539e6a01e4c4796e3c4f5
-
SHA1
63d475e2c98eea1d5852f8c07ed6a0d92acee220
-
SHA256
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
-
SHA512
5e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
Malware Config
Extracted
njrat
im523
Levkrasov
185.82.217.154:9591
b2470da48fd8c6569c0daa61a130d205
-
reg_key
b2470da48fd8c6569c0daa61a130d205
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 4620 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe -
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b2470da48fd8c6569c0daa61a130d205.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b2470da48fd8c6569c0daa61a130d205.exe WindowsServices.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b2470da48fd8c6569c0daa61a130d205 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b2470da48fd8c6569c0daa61a130d205 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WindowsServices.exepid process 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe 4620 WindowsServices.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WindowsServices.exepid process 4620 WindowsServices.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe Token: 33 4620 WindowsServices.exe Token: SeIncBasePriorityPrivilege 4620 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exeWindowsServices.exedescription pid process target process PID 5096 wrote to memory of 4620 5096 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 5096 wrote to memory of 4620 5096 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 5096 wrote to memory of 4620 5096 f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe WindowsServices.exe PID 4620 wrote to memory of 2728 4620 WindowsServices.exe netsh.exe PID 4620 wrote to memory of 2728 4620 WindowsServices.exe netsh.exe PID 4620 wrote to memory of 2728 4620 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe"C:\Users\Admin\AppData\Local\Temp\f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
103KB
MD52ca922461db539e6a01e4c4796e3c4f5
SHA163d475e2c98eea1d5852f8c07ed6a0d92acee220
SHA256f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
SHA5125e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
103KB
MD52ca922461db539e6a01e4c4796e3c4f5
SHA163d475e2c98eea1d5852f8c07ed6a0d92acee220
SHA256f976b8e1ed95511151dde454210ea6167fe92cef80563ded6492235549c673cc
SHA5125e54e299687c651a3ec38425943bc6c15c9e1f679a85f5aa0e67c4ffe5b75157f8b25cb55168f7304ed787181ab93c2fa1d4f85347d96c45a124e2edc81c6e3a
-
memory/2728-135-0x0000000000000000-mapping.dmp
-
memory/4620-131-0x0000000000000000-mapping.dmp
-
memory/4620-134-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/5096-130-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB