Analysis
-
max time kernel
153s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-12-2021 16:48
Behavioral task
behavioral1
Sample
1c41af81f1c37f70962c835596703b46.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1c41af81f1c37f70962c835596703b46.exe
Resource
win10-en-20211208
General
-
Target
1c41af81f1c37f70962c835596703b46.exe
-
Size
37KB
-
MD5
1c41af81f1c37f70962c835596703b46
-
SHA1
451d21755ead253c6e91adb92064ae6505366a6e
-
SHA256
03447599c5357fc3645a073317f6ff86c672af2d227bf82cdfb7f9b1629eb434
-
SHA512
1c175674e95b8dc69b6c707e396eaac145ead9b16517a81fdbaafb59f4239ceed122396c30125ccea04c98dfd4f54944d4db334439e70f74671ed28fae14bc0a
Malware Config
Extracted
njrat
im523
HacKed
37.1.222.208:9643
885ef95df6ef592d281bfb6e79c33830
-
reg_key
885ef95df6ef592d281bfb6e79c33830
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 528 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\885ef95df6ef592d281bfb6e79c33830.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\885ef95df6ef592d281bfb6e79c33830.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
1c41af81f1c37f70962c835596703b46.exepid process 1448 1c41af81f1c37f70962c835596703b46.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\885ef95df6ef592d281bfb6e79c33830 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\885ef95df6ef592d281bfb6e79c33830 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe 528 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 528 svhost.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe Token: 33 528 svhost.exe Token: SeIncBasePriorityPrivilege 528 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1c41af81f1c37f70962c835596703b46.exesvhost.exedescription pid process target process PID 1448 wrote to memory of 528 1448 1c41af81f1c37f70962c835596703b46.exe svhost.exe PID 1448 wrote to memory of 528 1448 1c41af81f1c37f70962c835596703b46.exe svhost.exe PID 1448 wrote to memory of 528 1448 1c41af81f1c37f70962c835596703b46.exe svhost.exe PID 1448 wrote to memory of 528 1448 1c41af81f1c37f70962c835596703b46.exe svhost.exe PID 528 wrote to memory of 1984 528 svhost.exe netsh.exe PID 528 wrote to memory of 1984 528 svhost.exe netsh.exe PID 528 wrote to memory of 1984 528 svhost.exe netsh.exe PID 528 wrote to memory of 1984 528 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c41af81f1c37f70962c835596703b46.exe"C:\Users\Admin\AppData\Local\Temp\1c41af81f1c37f70962c835596703b46.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeMD5
1c41af81f1c37f70962c835596703b46
SHA1451d21755ead253c6e91adb92064ae6505366a6e
SHA25603447599c5357fc3645a073317f6ff86c672af2d227bf82cdfb7f9b1629eb434
SHA5121c175674e95b8dc69b6c707e396eaac145ead9b16517a81fdbaafb59f4239ceed122396c30125ccea04c98dfd4f54944d4db334439e70f74671ed28fae14bc0a
-
C:\Users\Admin\svhost.exeMD5
1c41af81f1c37f70962c835596703b46
SHA1451d21755ead253c6e91adb92064ae6505366a6e
SHA25603447599c5357fc3645a073317f6ff86c672af2d227bf82cdfb7f9b1629eb434
SHA5121c175674e95b8dc69b6c707e396eaac145ead9b16517a81fdbaafb59f4239ceed122396c30125ccea04c98dfd4f54944d4db334439e70f74671ed28fae14bc0a
-
\Users\Admin\svhost.exeMD5
1c41af81f1c37f70962c835596703b46
SHA1451d21755ead253c6e91adb92064ae6505366a6e
SHA25603447599c5357fc3645a073317f6ff86c672af2d227bf82cdfb7f9b1629eb434
SHA5121c175674e95b8dc69b6c707e396eaac145ead9b16517a81fdbaafb59f4239ceed122396c30125ccea04c98dfd4f54944d4db334439e70f74671ed28fae14bc0a
-
memory/528-57-0x0000000000000000-mapping.dmp
-
memory/528-61-0x00000000020E0000-0x00000000020E1000-memory.dmpFilesize
4KB
-
memory/1448-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1448-55-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1984-62-0x0000000000000000-mapping.dmp