Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07-11-2021 22:36
Static task
static1
Behavioral task
behavioral1
Sample
700c7757b81e5e615b8cab09008c08f6.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
700c7757b81e5e615b8cab09008c08f6.exe
Resource
win10-en-20211104
General
-
Target
700c7757b81e5e615b8cab09008c08f6.exe
-
Size
37KB
-
MD5
700c7757b81e5e615b8cab09008c08f6
-
SHA1
5e15027312cacc8c390659ca7cfc7d2f49c12b19
-
SHA256
99965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
-
SHA512
756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
Malware Config
Extracted
njrat
im523
svchost.exe
6.tcp.ngrok.io:19025
26aadf41889f3fdf4dc721be5700b93a
-
reg_key
26aadf41889f3fdf4dc721be5700b93a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4028 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26aadf41889f3fdf4dc721be5700b93a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26aadf41889f3fdf4dc721be5700b93a.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\26aadf41889f3fdf4dc721be5700b93a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26aadf41889f3fdf4dc721be5700b93a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
700c7757b81e5e615b8cab09008c08f6.exesvchost.exedescription ioc process File created C:\Windows\svchost.exe 700c7757b81e5e615b8cab09008c08f6.exe File opened for modification C:\Windows\svchost.exe 700c7757b81e5e615b8cab09008c08f6.exe File opened for modification C:\Windows\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe 4028 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 4028 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe Token: 33 4028 svchost.exe Token: SeIncBasePriorityPrivilege 4028 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
700c7757b81e5e615b8cab09008c08f6.exesvchost.exedescription pid process target process PID 4268 wrote to memory of 4028 4268 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 4268 wrote to memory of 4028 4268 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 4268 wrote to memory of 4028 4268 700c7757b81e5e615b8cab09008c08f6.exe svchost.exe PID 4028 wrote to memory of 4092 4028 svchost.exe netsh.exe PID 4028 wrote to memory of 4092 4028 svchost.exe netsh.exe PID 4028 wrote to memory of 4092 4028 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\700c7757b81e5e615b8cab09008c08f6.exe"C:\Users\Admin\AppData\Local\Temp\700c7757b81e5e615b8cab09008c08f6.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeMD5
700c7757b81e5e615b8cab09008c08f6
SHA15e15027312cacc8c390659ca7cfc7d2f49c12b19
SHA25699965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
SHA512756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
-
C:\Windows\svchost.exeMD5
700c7757b81e5e615b8cab09008c08f6
SHA15e15027312cacc8c390659ca7cfc7d2f49c12b19
SHA25699965cf49e14830c3080cfc35132770063cb19836ef2eb7c5dbe121eb889ca25
SHA512756d3871e8437540aecac87ccd3039f10ceda2a74bc7cb88b545a888da93cc6684b355035011ec98fcdcd7278134d527ee303c70526fc66d7271ad4e28441ff6
-
memory/4028-119-0x0000000000000000-mapping.dmp
-
memory/4028-122-0x0000000002A01000-0x0000000002A02000-memory.dmpFilesize
4KB
-
memory/4092-123-0x0000000000000000-mapping.dmp
-
memory/4268-118-0x0000000002F80000-0x0000000002F81000-memory.dmpFilesize
4KB