Analysis
-
max time kernel
149s -
max time network
199s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-10-2021 04:29
Behavioral task
behavioral1
Sample
216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe
Resource
win10-en-20210920
General
-
Target
216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe
-
Size
78KB
-
MD5
495ac365075583f4cbd9487cb6c1935c
-
SHA1
9341e99733e753a7f5c2a716c35a7dc131d271d0
-
SHA256
216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3
-
SHA512
b9e4c72fd53b5e257d701f123fcc6771013b897aa65bbc6f24b1754e9cd9488cde99eb33b54c40b23c76a4bdb669e388b28829b473b00ff0a44940497c46fbe7
Malware Config
Extracted
njrat
0.7.3
Zombie
0.tcp.eu.ngrok.io:14618
svchost.exe
-
reg_key
svchost.exe
-
splitter
123
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 1728 svchost.exe 1836 svchost.exe 1524 svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exepid process 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1640 schtasks.exe 1344 schtasks.exe 1096 schtasks.exe 1044 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe Token: 33 1728 svchost.exe Token: SeIncBasePriorityPrivilege 1728 svchost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exesvchost.exetaskeng.exesvchost.exesvchost.exedescription pid process target process PID 2044 wrote to memory of 468 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 468 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 468 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 468 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 1640 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 1640 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 1640 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 1640 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe schtasks.exe PID 2044 wrote to memory of 1728 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe svchost.exe PID 2044 wrote to memory of 1728 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe svchost.exe PID 2044 wrote to memory of 1728 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe svchost.exe PID 2044 wrote to memory of 1728 2044 216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe svchost.exe PID 1728 wrote to memory of 1324 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1324 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1324 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1324 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1344 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1344 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1344 1728 svchost.exe schtasks.exe PID 1728 wrote to memory of 1344 1728 svchost.exe schtasks.exe PID 1580 wrote to memory of 1836 1580 taskeng.exe svchost.exe PID 1580 wrote to memory of 1836 1580 taskeng.exe svchost.exe PID 1580 wrote to memory of 1836 1580 taskeng.exe svchost.exe PID 1580 wrote to memory of 1836 1580 taskeng.exe svchost.exe PID 1836 wrote to memory of 112 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 112 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 112 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 112 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 1096 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 1096 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 1096 1836 svchost.exe schtasks.exe PID 1836 wrote to memory of 1096 1836 svchost.exe schtasks.exe PID 1580 wrote to memory of 1524 1580 taskeng.exe svchost.exe PID 1580 wrote to memory of 1524 1580 taskeng.exe svchost.exe PID 1580 wrote to memory of 1524 1580 taskeng.exe svchost.exe PID 1580 wrote to memory of 1524 1580 taskeng.exe svchost.exe PID 1524 wrote to memory of 1600 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1600 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1600 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1600 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1044 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1044 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1044 1524 svchost.exe schtasks.exe PID 1524 wrote to memory of 1044 1524 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe"C:\Users\Admin\AppData\Local\Temp\216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\svchost.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {F09F69CC-4714-4860-9FC1-2DC83C426B56} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\svchost.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\svchost.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svchost.exeMD5
495ac365075583f4cbd9487cb6c1935c
SHA19341e99733e753a7f5c2a716c35a7dc131d271d0
SHA256216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3
SHA512b9e4c72fd53b5e257d701f123fcc6771013b897aa65bbc6f24b1754e9cd9488cde99eb33b54c40b23c76a4bdb669e388b28829b473b00ff0a44940497c46fbe7
-
C:\Users\Admin\svchost.exeMD5
495ac365075583f4cbd9487cb6c1935c
SHA19341e99733e753a7f5c2a716c35a7dc131d271d0
SHA256216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3
SHA512b9e4c72fd53b5e257d701f123fcc6771013b897aa65bbc6f24b1754e9cd9488cde99eb33b54c40b23c76a4bdb669e388b28829b473b00ff0a44940497c46fbe7
-
C:\Users\Admin\svchost.exeMD5
495ac365075583f4cbd9487cb6c1935c
SHA19341e99733e753a7f5c2a716c35a7dc131d271d0
SHA256216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3
SHA512b9e4c72fd53b5e257d701f123fcc6771013b897aa65bbc6f24b1754e9cd9488cde99eb33b54c40b23c76a4bdb669e388b28829b473b00ff0a44940497c46fbe7
-
C:\Users\Admin\svchost.exeMD5
495ac365075583f4cbd9487cb6c1935c
SHA19341e99733e753a7f5c2a716c35a7dc131d271d0
SHA256216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3
SHA512b9e4c72fd53b5e257d701f123fcc6771013b897aa65bbc6f24b1754e9cd9488cde99eb33b54c40b23c76a4bdb669e388b28829b473b00ff0a44940497c46fbe7
-
\Users\Admin\svchost.exeMD5
495ac365075583f4cbd9487cb6c1935c
SHA19341e99733e753a7f5c2a716c35a7dc131d271d0
SHA256216500f3e56a76a59f81e3082a38957482f176c6aaf16ae494db8d2fb5e044d3
SHA512b9e4c72fd53b5e257d701f123fcc6771013b897aa65bbc6f24b1754e9cd9488cde99eb33b54c40b23c76a4bdb669e388b28829b473b00ff0a44940497c46fbe7
-
memory/112-74-0x0000000000000000-mapping.dmp
-
memory/468-61-0x0000000000000000-mapping.dmp
-
memory/1044-81-0x0000000000000000-mapping.dmp
-
memory/1096-75-0x0000000000000000-mapping.dmp
-
memory/1324-68-0x0000000000000000-mapping.dmp
-
memory/1344-69-0x0000000000000000-mapping.dmp
-
memory/1524-77-0x0000000000000000-mapping.dmp
-
memory/1524-82-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1600-80-0x0000000000000000-mapping.dmp
-
memory/1640-62-0x0000000000000000-mapping.dmp
-
memory/1728-70-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/1728-64-0x0000000000000000-mapping.dmp
-
memory/1836-76-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/1836-71-0x0000000000000000-mapping.dmp
-
memory/2044-59-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/2044-60-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB