Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-11-2021 21:47
Static task
static1
Behavioral task
behavioral1
Sample
700c7757b81e5e615b8cab09008c08f6.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
700c7757b81e5e615b8cab09008c08f6.exe
Resource
win10-en-20211014
General
-
Target
700c7757b81e5e615b8cab09008c08f6.exe
-
Size
37KB
-
MD5
700c7757b81e5e615b8cab09008c08f6
-
SHA1
5e15027312cacc8c390659ca7cfc7d2f49c12b19
-
SHA256
99965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
-
SHA512
756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
Malware Config
Extracted
njrat
im523
svchost.exe
6.tcp.ngrok.io:19025
26aadf41889f3fdf4dc721be5700b93a
-
reg_key
26aadf41889f3fdf4dc721be5700b93a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1424 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26aadf41889f3fdf4dc721be5700b93a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26aadf41889f3fdf4dc721be5700b93a.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\26aadf41889f3fdf4dc721be5700b93a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\26aadf41889f3fdf4dc721be5700b93a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
700c7757b81e5e615b8cab09008c08f6.exesvchost.exedescription ioc process File created C:\Windows\svchost.exe 700c7757b81e5e615b8cab09008c08f6.exe File opened for modification C:\Windows\svchost.exe 700c7757b81e5e615b8cab09008c08f6.exe File opened for modification C:\Windows\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe 1424 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1424 svchost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe Token: 33 1424 svchost.exe Token: SeIncBasePriorityPrivilege 1424 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
700c7757b81e5e615b8cab09008c08f6.exesvchost.exedescription pid process target process PID 1432 wrote to memory of 1424 1432 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1432 wrote to memory of 1424 1432 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1432 wrote to memory of 1424 1432 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1432 wrote to memory of 1424 1432 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1424 wrote to memory of 820 1424 svchost.exe netsh.exe PID 1424 wrote to memory of 820 1424 svchost.exe netsh.exe PID 1424 wrote to memory of 820 1424 svchost.exe netsh.exe PID 1424 wrote to memory of 820 1424 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\700c7757b81e5e615b8cab09008c08f6.exe"C:\Users\Admin\AppData\Local\Temp\700c7757b81e5e615b8cab09008c08f6.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeMD5
700c7757b81e5e615b8cab09008c08f6
SHA15e15027312cacc8c390659ca7cfc7d2f49c12b19
SHA25699965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
SHA512756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
-
C:\Windows\svchost.exeMD5
700c7757b81e5e615b8cab09008c08f6
SHA15e15027312cacc8c390659ca7cfc7d2f49c12b19
SHA25699965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
SHA512756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
-
memory/820-62-0x0000000000000000-mapping.dmp
-
memory/1424-57-0x0000000000000000-mapping.dmp
-
memory/1424-61-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/1432-55-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1432-56-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB