Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 13:07
Behavioral task
behavioral1
Sample
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe
Resource
win7-20220901-en
General
-
Target
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe
-
Size
23KB
-
MD5
b666c4da44542080af4e8d10035e3cae
-
SHA1
4c1df8d41638200ab51d3c22c6d1854b0544a2e2
-
SHA256
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
-
SHA512
d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
SSDEEP
384:4sqCm6yocx/Yp7jemiO0nd08/VQ6bgNQC5h7tmRvR6JZlbw8hqIusZzZNX:PSoQA6mlcrRpcnuG
Malware Config
Extracted
njrat
0.7d
SAMEEDLCP
themarlborough.co.vu:5150
fb299416afb86ef6ecdbdf6738f8fa6c
-
reg_key
fb299416afb86ef6ecdbdf6738f8fa6c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Winsvc.exepid process 940 Winsvc.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exepid process 1368 c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Winsvc.exedescription pid process Token: SeDebugPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe Token: 33 940 Winsvc.exe Token: SeIncBasePriorityPrivilege 940 Winsvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exeWinsvc.exedescription pid process target process PID 1368 wrote to memory of 940 1368 c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe Winsvc.exe PID 1368 wrote to memory of 940 1368 c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe Winsvc.exe PID 1368 wrote to memory of 940 1368 c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe Winsvc.exe PID 1368 wrote to memory of 940 1368 c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe Winsvc.exe PID 940 wrote to memory of 624 940 Winsvc.exe netsh.exe PID 940 wrote to memory of 624 940 Winsvc.exe netsh.exe PID 940 wrote to memory of 624 940 Winsvc.exe netsh.exe PID 940 wrote to memory of 624 940 Winsvc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe"C:\Users\Admin\AppData\Local\Temp\c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Winsvc.exe"C:\Users\Admin\AppData\Roaming\Winsvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Winsvc.exe" "Winsvc.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Winsvc.exeFilesize
23KB
MD5b666c4da44542080af4e8d10035e3cae
SHA14c1df8d41638200ab51d3c22c6d1854b0544a2e2
SHA256c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
SHA512d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
C:\Users\Admin\AppData\Roaming\Winsvc.exeFilesize
23KB
MD5b666c4da44542080af4e8d10035e3cae
SHA14c1df8d41638200ab51d3c22c6d1854b0544a2e2
SHA256c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
SHA512d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
\Users\Admin\AppData\Roaming\Winsvc.exeFilesize
23KB
MD5b666c4da44542080af4e8d10035e3cae
SHA14c1df8d41638200ab51d3c22c6d1854b0544a2e2
SHA256c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
SHA512d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
memory/624-63-0x0000000000000000-mapping.dmp
-
memory/940-57-0x0000000000000000-mapping.dmp
-
memory/940-62-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/940-65-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1368-55-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1368-61-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB