Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
07-11-2021 22:36
Static task
static1
Behavioral task
behavioral1
Sample
700c7757b81e5e615b8cab09008c08f6.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
700c7757b81e5e615b8cab09008c08f6.exe
Resource
win10-en-20211104
General
-
Target
700c7757b81e5e615b8cab09008c08f6.exe
-
Size
37KB
-
MD5
700c7757b81e5e615b8cab09008c08f6
-
SHA1
5e15027312cacc8c390659ca7cfc7d2f49c12b19
-
SHA256
99965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
-
SHA512
756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
Malware Config
Extracted
njrat
im523
svchost.exe
6.tcp.ngrok.io:19025
26aadf41889f3fdf4dc721be5700b93a
-
reg_key
26aadf41889f3fdf4dc721be5700b93a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 848 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26aadf41889f3fdf4dc721be5700b93a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26aadf41889f3fdf4dc721be5700b93a.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\26aadf41889f3fdf4dc721be5700b93a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\26aadf41889f3fdf4dc721be5700b93a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
700c7757b81e5e615b8cab09008c08f6.exesvchost.exedescription ioc process File created C:\Windows\svchost.exe 700c7757b81e5e615b8cab09008c08f6.exe File opened for modification C:\Windows\svchost.exe 700c7757b81e5e615b8cab09008c08f6.exe File opened for modification C:\Windows\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 848 svchost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: 33 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
700c7757b81e5e615b8cab09008c08f6.exesvchost.exedescription pid process target process PID 1912 wrote to memory of 848 1912 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1912 wrote to memory of 848 1912 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1912 wrote to memory of 848 1912 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 1912 wrote to memory of 848 1912 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 848 wrote to memory of 1824 848 svchost.exe netsh.exe PID 848 wrote to memory of 1824 848 svchost.exe netsh.exe PID 848 wrote to memory of 1824 848 svchost.exe netsh.exe PID 848 wrote to memory of 1824 848 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\700c7757b81e5e615b8cab09008c08f6.exe"C:\Users\Admin\AppData\Local\Temp\700c7757b81e5e615b8cab09008c08f6.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeMD5
700c7757b81e5e615b8cab09008c08f6
SHA15e15027312cacc8c390659ca7cfc7d2f49c12b19
SHA25699965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
SHA512756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
-
C:\Windows\svchost.exeMD5
700c7757b81e5e615b8cab09008c08f6
SHA15e15027312cacc8c390659ca7cfc7d2f49c12b19
SHA25699965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
SHA512756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
-
memory/848-57-0x0000000000000000-mapping.dmp
-
memory/848-61-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB
-
memory/1824-62-0x0000000000000000-mapping.dmp
-
memory/1912-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1912-56-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB