Analysis
-
max time kernel
160s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en -
submitted
07-09-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
Resource
win10-en
General
-
Target
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
-
Size
83KB
-
MD5
7c6290951c89aac232a806d70f72e573
-
SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d
-
SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
-
SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
Malware Config
Extracted
njrat
0.7d
.......CELCOM
anunankis1.duckdns.org:1177
04404d18b002688e39bb45a634c1a35a
-
reg_key
04404d18b002688e39bb45a634c1a35a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 436 svchost.exe 1916 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exepid process 1172 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe 436 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exedescription pid process target process PID 1080 set thread context of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 436 set thread context of 1916 436 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe Token: 33 1916 svchost.exe Token: SeIncBasePriorityPrivilege 1916 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exea1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exesvchost.exedescription pid process target process PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1080 wrote to memory of 1172 1080 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 1172 wrote to memory of 436 1172 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 1172 wrote to memory of 436 1172 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 1172 wrote to memory of 436 1172 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 1172 wrote to memory of 436 1172 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 436 wrote to memory of 1916 436 svchost.exe svchost.exe PID 1916 wrote to memory of 1608 1916 svchost.exe netsh.exe PID 1916 wrote to memory of 1608 1916 svchost.exe netsh.exe PID 1916 wrote to memory of 1608 1916 svchost.exe netsh.exe PID 1916 wrote to memory of 1608 1916 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
memory/436-73-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/436-64-0x0000000000000000-mapping.dmp
-
memory/1080-53-0x0000000075991000-0x0000000075993000-memory.dmpFilesize
8KB
-
memory/1080-61-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/1172-62-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1172-59-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/1172-56-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/1172-55-0x00000000004074AE-mapping.dmp
-
memory/1608-75-0x0000000000000000-mapping.dmp
-
memory/1916-69-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1916-70-0x00000000004074AE-mapping.dmp
-
memory/1916-74-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB