Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
15-04-2023 21:31
General
-
Target
test.exe
-
Size
31KB
-
MD5
5ab6073a4ecb061d0d87f33fc42517ae
-
SHA1
4f611c050a264436d0832622709fc5c500eaae0b
-
SHA256
275c1d6827109fc66ea643290239b75928f455749d19de1fb60e0a2984dd44c5
-
SHA512
85903f5a471d5ec09de913b1983c80283787842bb1aeff517207717706e76190f06a6af9e4f1221cbc929e572478815d65c7b5f93669583fe7a9c9da2a2d1d3b
-
SSDEEP
768:BzirDp8pdvXyzx9uFwna/5nW3TvanQmIDUu0tixPj:ow68nQbkQVkYj
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:8080
fc18f90cb05b06d57e182c1350fa6b6e
-
reg_key
fc18f90cb05b06d57e182c1350fa6b6e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 2452 WindowsServices.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe 2112 test.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
test.exeWindowsServices.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2112 test.exe Token: SeDebugPrivilege 2452 WindowsServices.exe Token: SeDebugPrivilege 992 taskmgr.exe Token: SeSystemProfilePrivilege 992 taskmgr.exe Token: SeCreateGlobalPrivilege 992 taskmgr.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 992 taskmgr.exe Token: SeIncBasePriorityPrivilege 992 taskmgr.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe Token: 33 2452 WindowsServices.exe Token: SeIncBasePriorityPrivilege 2452 WindowsServices.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
Processes:
taskmgr.exepid process 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe -
Suspicious use of SendNotifyMessage 57 IoCs
Processes:
taskmgr.exepid process 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe 992 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
test.exeWindowsServices.exedescription pid process target process PID 2112 wrote to memory of 2452 2112 test.exe WindowsServices.exe PID 2112 wrote to memory of 2452 2112 test.exe WindowsServices.exe PID 2112 wrote to memory of 2452 2112 test.exe WindowsServices.exe PID 2452 wrote to memory of 3756 2452 WindowsServices.exe netsh.exe PID 2452 wrote to memory of 3756 2452 WindowsServices.exe netsh.exe PID 2452 wrote to memory of 3756 2452 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD55ab6073a4ecb061d0d87f33fc42517ae
SHA14f611c050a264436d0832622709fc5c500eaae0b
SHA256275c1d6827109fc66ea643290239b75928f455749d19de1fb60e0a2984dd44c5
SHA51285903f5a471d5ec09de913b1983c80283787842bb1aeff517207717706e76190f06a6af9e4f1221cbc929e572478815d65c7b5f93669583fe7a9c9da2a2d1d3b
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exeFilesize
31KB
MD55ab6073a4ecb061d0d87f33fc42517ae
SHA14f611c050a264436d0832622709fc5c500eaae0b
SHA256275c1d6827109fc66ea643290239b75928f455749d19de1fb60e0a2984dd44c5
SHA51285903f5a471d5ec09de913b1983c80283787842bb1aeff517207717706e76190f06a6af9e4f1221cbc929e572478815d65c7b5f93669583fe7a9c9da2a2d1d3b
-
memory/2112-118-0x0000000002E90000-0x0000000002EA0000-memory.dmpFilesize
64KB
-
memory/2112-120-0x0000000002E90000-0x0000000002EA0000-memory.dmpFilesize
64KB
-
memory/2452-127-0x00000000025F0000-0x0000000002600000-memory.dmpFilesize
64KB
-
memory/2452-128-0x00000000025F0000-0x0000000002600000-memory.dmpFilesize
64KB