Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
Resource
win10v2004-20220414-en
General
-
Target
c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
-
Size
203KB
-
MD5
7f58142ad487ca166fb71be971d97bc9
-
SHA1
6c1bca26d7ea9e6f2ded29d84759aade2cc844bb
-
SHA256
c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543
-
SHA512
2848e3af53cc32f5dcdbcf9be400b9defbce9642bc60863ada3cde301edf785b0795fd50782c586314beb95cc3293b75b69f4500817de6890dcdb484fab7c621
Malware Config
Extracted
njrat
0.7d
MyBot
85.140.114.45:7777
061de4c451a1c1cb6f111696c953d5d6
-
reg_key
061de4c451a1c1cb6f111696c953d5d6
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Client.exeWindowsServices.exepid process 928 Client.exe 1752 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061de4c451a1c1cb6f111696c953d5d6.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061de4c451a1c1cb6f111696c953d5d6.exe WindowsServices.exe -
Loads dropped DLL 4 IoCs
Processes:
c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exeClient.exepid process 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe 928 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\061de4c451a1c1cb6f111696c953d5d6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\061de4c451a1c1cb6f111696c953d5d6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.eps rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.eps\ = "eps_auto_file" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepid process 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe 928 Client.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
Client.exeWindowsServices.exedescription pid process Token: SeDebugPrivilege 928 Client.exe Token: SeDebugPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe Token: 33 1752 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1752 WindowsServices.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1964 AcroRd32.exe 1964 AcroRd32.exe 1964 AcroRd32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exerundll32.exeClient.exeWindowsServices.exedescription pid process target process PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 976 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe rundll32.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 1260 wrote to memory of 928 1260 c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe Client.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 976 wrote to memory of 1964 976 rundll32.exe AcroRd32.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 928 wrote to memory of 1752 928 Client.exe WindowsServices.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe PID 1752 wrote to memory of 1300 1752 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe"C:\Users\Admin\AppData\Local\Temp\c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Лекало для флага ПАРУС 3600.eps2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Лекало для флага ПАРУС 3600.eps"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
C:\Users\Admin\AppData\Local\Temp\Лекало для флага ПАРУС 3600.epsFilesize
1.0MB
MD5d9d1b1ca63cf488280e2bce1832e7d42
SHA1897c40f394599cd7c06ab95e8db5fada18badc7a
SHA2566aaeb09b3aadb5597f5b1b9e1cb845244d51345324c8ef2ddbe64e909a3d9209
SHA5120a73a15c0e670b382b8485b9b6afd8db78bb04b3e9f1dfb203437fec35db24334452b73b19f19b02587da6e2e9b956a190746280429d634882927d9540383d21
-
\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
\Users\Admin\AppData\Local\Temp\Client.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD53822f9a5bcd0c2e95cd043de39854a90
SHA1e5e90f53baf50001f8ca0442f0773b10a90ec809
SHA256b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc
SHA512f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e
-
memory/928-64-0x0000000074090000-0x000000007463B000-memory.dmpFilesize
5.7MB
-
memory/928-60-0x0000000000000000-mapping.dmp
-
memory/976-55-0x0000000000000000-mapping.dmp
-
memory/1260-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1300-74-0x0000000000000000-mapping.dmp
-
memory/1752-69-0x0000000000000000-mapping.dmp
-
memory/1752-73-0x0000000074090000-0x000000007463B000-memory.dmpFilesize
5.7MB
-
memory/1964-65-0x0000000000000000-mapping.dmp