Analysis
-
max time kernel
152s -
max time network
188s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-09-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
Resource
win10-en
General
-
Target
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
-
Size
82KB
-
MD5
42f06a2dd04a0b84c019557cc07f0cb6
-
SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724
-
SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
-
SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
Malware Config
Extracted
njrat
0.7 MultiHost
000000
karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177
670b14728ad9902aecba32e22fa4f6bd
-
reg_key
670b14728ad9902aecba32e22fa4f6bd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1212 svchost.exe 1804 svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exesvchost.exepid process 1920 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 1212 svchost.exe 1804 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exedescription pid process target process PID 1940 set thread context of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1212 set thread context of 1804 1212 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe Token: 33 1804 svchost.exe Token: SeIncBasePriorityPrivilege 1804 svchost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exedescription pid process target process PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1940 wrote to memory of 1920 1940 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1920 wrote to memory of 1212 1920 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 1920 wrote to memory of 1212 1920 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 1920 wrote to memory of 1212 1920 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 1920 wrote to memory of 1212 1920 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1804 1212 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
42f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
42f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
42f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
42f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
42f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
42f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
memory/1212-67-0x0000000000000000-mapping.dmp
-
memory/1212-74-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/1804-73-0x0000000000407ACE-mapping.dmp
-
memory/1804-77-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1920-65-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1920-62-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1920-63-0x0000000000407ACE-mapping.dmp
-
memory/1940-60-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1940-61-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB