Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 15:30
Behavioral task
behavioral1
Sample
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe
Resource
win7-20220414-en
General
-
Target
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe
-
Size
31KB
-
MD5
1ff8cbbd10873bd03aa7a2a8972536de
-
SHA1
64bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
-
SHA256
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
-
SHA512
04226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
Malware Config
Extracted
njrat
0.7d
hacker
gugu.zapto.org:6522
673a2b1b4c3514163eac4c9951b69533
-
reg_key
673a2b1b4c3514163eac4c9951b69533
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 2412 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe Token: 33 2412 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2412 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exeWindowsServices.exedescription pid process target process PID 3000 wrote to memory of 2412 3000 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 3000 wrote to memory of 2412 3000 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 3000 wrote to memory of 2412 3000 b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe WindowsServices.exe PID 2412 wrote to memory of 1504 2412 WindowsServices.exe netsh.exe PID 2412 wrote to memory of 1504 2412 WindowsServices.exe netsh.exe PID 2412 wrote to memory of 1504 2412 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe"C:\Users\Admin\AppData\Local\Temp\b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD51ff8cbbd10873bd03aa7a2a8972536de
SHA164bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
SHA256b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
SHA51204226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD51ff8cbbd10873bd03aa7a2a8972536de
SHA164bb92321f86dae87d5cd4a3deb667a0eb5b5bdd
SHA256b05ad7a7bdeb9f4217dcf68f73817db032d55b9884f2ba69f40967af0abe218f
SHA51204226169bd38741c440a4956b2d3c740da06811d5aada571defec3c0cbed759ef78fce394506eaeb523014cf6ddc1672a943ee72f6c988de9c4556d30e7c373b
-
memory/1504-135-0x0000000000000000-mapping.dmp
-
memory/2412-131-0x0000000000000000-mapping.dmp
-
memory/2412-134-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/3000-130-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB