Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 15:30
Behavioral task
behavioral1
Sample
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe
Resource
win7-20220414-en
General
-
Target
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe
-
Size
31KB
-
MD5
1ff8cbbd10873bd03aa7a2a8972536de
-
SHA1
64bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
-
SHA256
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
-
SHA512
04226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
Malware Config
Extracted
njrat
0.7d
hacker
gugu.zapto.org:6522
673a2b1b4c3514163eac4c9951b69533
-
reg_key
673a2b1b4c3514163eac4c9951b69533
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 1492 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exepid process 532 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe Token: 33 1492 WindowsServices.exe Token: SeIncBasePriorityPrivilege 1492 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exeWindowsServices.exedescription pid process target process PID 532 wrote to memory of 1492 532 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 532 wrote to memory of 1492 532 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 532 wrote to memory of 1492 532 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 532 wrote to memory of 1492 532 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 1492 wrote to memory of 1936 1492 WindowsServices.exe netsh.exe PID 1492 wrote to memory of 1936 1492 WindowsServices.exe netsh.exe PID 1492 wrote to memory of 1936 1492 WindowsServices.exe netsh.exe PID 1492 wrote to memory of 1936 1492 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe"C:\Users\Admin\AppData\Local\Temp\b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD51ff8cbbd10873bd03aa7a2a8972536de
SHA164bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
SHA256b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
SHA51204226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD51ff8cbbd10873bd03aa7a2a8972536de
SHA164bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
SHA256b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
SHA51204226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
-
\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD51ff8cbbd10873bd03aa7a2a8972536de
SHA164bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
SHA256b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
SHA51204226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
-
memory/532-54-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/532-55-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1492-57-0x0000000000000000-mapping.dmp
-
memory/1492-61-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1936-62-0x0000000000000000-mapping.dmp