Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
17-11-2021 21:22
Behavioral task
behavioral1
Sample
9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe
Resource
win10-en-20211104
General
-
Target
9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe
-
Size
37KB
-
MD5
150764abf9037c90cbe8408e1996662a
-
SHA1
6b6b6b238542cd1de0d971ee88a0fa07663940f4
-
SHA256
9dedcffa477c50eed62e213c99d750e678598ac9e0dd774e5892d25c58269b23
-
SHA512
f4c9f1c36ebc88075ffa6befcbdcf41fc567347eadd1550e5555707d926071e6691827a7ad6edf5db71ec2a7925e957950d8faaa83e0cea868014a9bb1934959
Malware Config
Extracted
njrat
im523
HacKed
2.tcp.ngrok.io:11771
bb28dda136516948b0f50a690d5a161e
-
reg_key
bb28dda136516948b0f50a690d5a161e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2124 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bb28dda136516948b0f50a690d5a161e.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bb28dda136516948b0f50a690d5a161e.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\bb28dda136516948b0f50a690d5a161e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bb28dda136516948b0f50a690d5a161e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1452 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe 2124 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2124 svhost.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2124 svhost.exe Token: SeDebugPrivilege 1452 taskkill.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe Token: 33 2124 svhost.exe Token: SeIncBasePriorityPrivilege 2124 svhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exesvhost.exedescription pid process target process PID 2336 wrote to memory of 2124 2336 9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe svhost.exe PID 2336 wrote to memory of 2124 2336 9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe svhost.exe PID 2336 wrote to memory of 2124 2336 9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe svhost.exe PID 2124 wrote to memory of 2028 2124 svhost.exe netsh.exe PID 2124 wrote to memory of 2028 2124 svhost.exe netsh.exe PID 2124 wrote to memory of 2028 2124 svhost.exe netsh.exe PID 2124 wrote to memory of 1452 2124 svhost.exe taskkill.exe PID 2124 wrote to memory of 1452 2124 svhost.exe taskkill.exe PID 2124 wrote to memory of 1452 2124 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe"C:\Users\Admin\AppData\Local\Temp\9DEDCFFA477C50EED62E213C99D750E678598AC9E0DD7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM javaw.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
150764abf9037c90cbe8408e1996662a
SHA16b6b6b238542cd1de0d971ee88a0fa07663940f4
SHA2569dedcffa477c50eed62e213c99d750e678598ac9e0dd774e5892d25c58269b23
SHA512f4c9f1c36ebc88075ffa6befcbdcf41fc567347eadd1550e5555707d926071e6691827a7ad6edf5db71ec2a7925e957950d8faaa83e0cea868014a9bb1934959
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
150764abf9037c90cbe8408e1996662a
SHA16b6b6b238542cd1de0d971ee88a0fa07663940f4
SHA2569dedcffa477c50eed62e213c99d750e678598ac9e0dd774e5892d25c58269b23
SHA512f4c9f1c36ebc88075ffa6befcbdcf41fc567347eadd1550e5555707d926071e6691827a7ad6edf5db71ec2a7925e957950d8faaa83e0cea868014a9bb1934959
-
memory/1452-124-0x0000000000000000-mapping.dmp
-
memory/2028-123-0x0000000000000000-mapping.dmp
-
memory/2124-119-0x0000000000000000-mapping.dmp
-
memory/2124-122-0x0000000000E00000-0x0000000000F4A000-memory.dmpFilesize
1.3MB
-
memory/2336-118-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB