Analysis
-
max time kernel
153s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-12-2021 08:48
Behavioral task
behavioral1
Sample
756b5288c29c75f8a689cf1010ddbe25.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
756b5288c29c75f8a689cf1010ddbe25.exe
Resource
win10-en-20211208
General
-
Target
756b5288c29c75f8a689cf1010ddbe25.exe
-
Size
37KB
-
MD5
756b5288c29c75f8a689cf1010ddbe25
-
SHA1
6b0f81673af9c4bb6dc6f7fd275679ebfa46a756
-
SHA256
b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
-
SHA512
a515d02bda13ea9b06287a5a73cf08aef0d9907a1800cede4f3e314597264475ceccaa3f4e3c0fe769aaef0ee6f52d1cf1dbb98a80a22a83cd0582159311df8e
Malware Config
Extracted
njrat
im523
pidor
8.tcp.ngrok.io:12086:12086
1b6ef007d35ce987ac4dec265faa179b
-
reg_key
1b6ef007d35ce987ac4dec265faa179b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4056 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b6ef007d35ce987ac4dec265faa179b.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b6ef007d35ce987ac4dec265faa179b.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b6ef007d35ce987ac4dec265faa179b = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1b6ef007d35ce987ac4dec265faa179b = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 3 IoCs
Processes:
svchost.exe756b5288c29c75f8a689cf1010ddbe25.exedescription ioc process File opened for modification C:\Windows\svchost.exe svchost.exe File created C:\Windows\svchost.exe 756b5288c29c75f8a689cf1010ddbe25.exe File opened for modification C:\Windows\svchost.exe 756b5288c29c75f8a689cf1010ddbe25.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2528 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe 4056 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 4056 svchost.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
svchost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4056 svchost.exe Token: SeDebugPrivilege 2528 taskkill.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe Token: 33 4056 svchost.exe Token: SeIncBasePriorityPrivilege 4056 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
756b5288c29c75f8a689cf1010ddbe25.exesvchost.exedescription pid process target process PID 3440 wrote to memory of 4056 3440 756b5288c29c75f8a689cf1010ddbe25.exe svchost.exe PID 3440 wrote to memory of 4056 3440 756b5288c29c75f8a689cf1010ddbe25.exe svchost.exe PID 3440 wrote to memory of 4056 3440 756b5288c29c75f8a689cf1010ddbe25.exe svchost.exe PID 4056 wrote to memory of 4004 4056 svchost.exe netsh.exe PID 4056 wrote to memory of 4004 4056 svchost.exe netsh.exe PID 4056 wrote to memory of 4004 4056 svchost.exe netsh.exe PID 4056 wrote to memory of 2528 4056 svchost.exe taskkill.exe PID 4056 wrote to memory of 2528 4056 svchost.exe taskkill.exe PID 4056 wrote to memory of 2528 4056 svchost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\756b5288c29c75f8a689cf1010ddbe25.exe"C:\Users\Admin\AppData\Local\Temp\756b5288c29c75f8a689cf1010ddbe25.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵PID:4004
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
756b5288c29c75f8a689cf1010ddbe25
SHA16b0f81673af9c4bb6dc6f7fd275679ebfa46a756
SHA256b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
SHA512a515d02bda13ea9b06287a5a73cf08aef0d9907a1800cede4f3e314597264475ceccaa3f4e3c0fe769aaef0ee6f52d1cf1dbb98a80a22a83cd0582159311df8e
-
MD5
756b5288c29c75f8a689cf1010ddbe25
SHA16b0f81673af9c4bb6dc6f7fd275679ebfa46a756
SHA256b166e1947e977864e55349d8358197927a7f7ee707ddf46acf027b7cf109bf98
SHA512a515d02bda13ea9b06287a5a73cf08aef0d9907a1800cede4f3e314597264475ceccaa3f4e3c0fe769aaef0ee6f52d1cf1dbb98a80a22a83cd0582159311df8e