Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en -
submitted
07-09-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
Resource
win10-en
General
-
Target
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
-
Size
83KB
-
MD5
7c6290951c89aac232a806d70f72e573
-
SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d
-
SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
-
SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
Malware Config
Extracted
njrat
0.7d
.......CELCOM
anunankis1.duckdns.org:1177
04404d18b002688e39bb45a634c1a35a
-
reg_key
04404d18b002688e39bb45a634c1a35a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 3656 svchost.exe 4088 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exedescription pid process target process PID 4020 set thread context of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 3656 set thread context of 4088 3656 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: 33 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exea1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exesvchost.exedescription pid process target process PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 4020 wrote to memory of 3644 4020 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe PID 3644 wrote to memory of 3656 3644 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 3644 wrote to memory of 3656 3644 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 3644 wrote to memory of 3656 3644 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 3656 wrote to memory of 4088 3656 svchost.exe svchost.exe PID 4088 wrote to memory of 1356 4088 svchost.exe netsh.exe PID 4088 wrote to memory of 1356 4088 svchost.exe netsh.exe PID 4088 wrote to memory of 1356 4088 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe.logMD5
c748e8ca8696cef7e06115966216593a
SHA1de51083153bc4e802050a6f3f8e2d273ea36e564
SHA256b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d
SHA512d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
7c6290951c89aac232a806d70f72e573
SHA10cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA5129ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe
-
memory/1356-128-0x0000000000000000-mapping.dmp
-
memory/3644-119-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/3644-116-0x00000000004074AE-mapping.dmp
-
memory/3656-120-0x0000000000000000-mapping.dmp
-
memory/3656-126-0x0000000002E01000-0x0000000002E02000-memory.dmpFilesize
4KB
-
memory/4020-118-0x0000000000FF0000-0x000000000113A000-memory.dmpFilesize
1.3MB
-
memory/4088-124-0x00000000004074AE-mapping.dmp
-
memory/4088-123-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4088-127-0x0000000003201000-0x0000000003202000-memory.dmpFilesize
4KB