Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-12-2021 16:48
Behavioral task
behavioral1
Sample
cebac35d906c33acfc7cdc600947a698.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cebac35d906c33acfc7cdc600947a698.exe
Resource
win10-en-20211208
General
-
Target
cebac35d906c33acfc7cdc600947a698.exe
-
Size
37KB
-
MD5
cebac35d906c33acfc7cdc600947a698
-
SHA1
4ce8583cdc3dbbd77f6a9b5d9b97e06ca924e0aa
-
SHA256
d8b1f0b39fd78111c2ed94874f825c9d7bac3f9030ba7e32785a2d850675711b
-
SHA512
0a15ff5f66fd6166a282a9e9955ddcd4a61e9973651d191f2c33324af47de0dc60f87b9ec01d6586a81c06e9d427ee243e26fa43c05b0fc27af1b66fcc693a49
Malware Config
Extracted
njrat
im523
HacKed
37.1.222.208:5654
b81bff9c53a9dd51dda35cedf504c018
-
reg_key
b81bff9c53a9dd51dda35cedf504c018
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2020 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b81bff9c53a9dd51dda35cedf504c018.exe svhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b81bff9c53a9dd51dda35cedf504c018.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\b81bff9c53a9dd51dda35cedf504c018 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b81bff9c53a9dd51dda35cedf504c018 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe 2020 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2020 svhost.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe Token: 33 2020 svhost.exe Token: SeIncBasePriorityPrivilege 2020 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cebac35d906c33acfc7cdc600947a698.exesvhost.exedescription pid process target process PID 3420 wrote to memory of 2020 3420 cebac35d906c33acfc7cdc600947a698.exe svhost.exe PID 3420 wrote to memory of 2020 3420 cebac35d906c33acfc7cdc600947a698.exe svhost.exe PID 3420 wrote to memory of 2020 3420 cebac35d906c33acfc7cdc600947a698.exe svhost.exe PID 2020 wrote to memory of 4188 2020 svhost.exe netsh.exe PID 2020 wrote to memory of 4188 2020 svhost.exe netsh.exe PID 2020 wrote to memory of 4188 2020 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cebac35d906c33acfc7cdc600947a698.exe"C:\Users\Admin\AppData\Local\Temp\cebac35d906c33acfc7cdc600947a698.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeMD5
cebac35d906c33acfc7cdc600947a698
SHA14ce8583cdc3dbbd77f6a9b5d9b97e06ca924e0aa
SHA256d8b1f0b39fd78111c2ed94874f825c9d7bac3f9030ba7e32785a2d850675711b
SHA5120a15ff5f66fd6166a282a9e9955ddcd4a61e9973651d191f2c33324af47de0dc60f87b9ec01d6586a81c06e9d427ee243e26fa43c05b0fc27af1b66fcc693a49
-
C:\Users\Admin\svhost.exeMD5
cebac35d906c33acfc7cdc600947a698
SHA14ce8583cdc3dbbd77f6a9b5d9b97e06ca924e0aa
SHA256d8b1f0b39fd78111c2ed94874f825c9d7bac3f9030ba7e32785a2d850675711b
SHA5120a15ff5f66fd6166a282a9e9955ddcd4a61e9973651d191f2c33324af47de0dc60f87b9ec01d6586a81c06e9d427ee243e26fa43c05b0fc27af1b66fcc693a49
-
memory/2020-116-0x0000000000000000-mapping.dmp
-
memory/2020-119-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/3420-115-0x0000000001830000-0x0000000001831000-memory.dmpFilesize
4KB
-
memory/4188-120-0x0000000000000000-mapping.dmp