Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-12-2021 22:47
Behavioral task
behavioral1
Sample
06eb3d1ff3e1ed7223cf3a1e4b67b591.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06eb3d1ff3e1ed7223cf3a1e4b67b591.exe
Resource
win10-en-20211208
General
-
Target
06eb3d1ff3e1ed7223cf3a1e4b67b591.exe
-
Size
103KB
-
MD5
06eb3d1ff3e1ed7223cf3a1e4b67b591
-
SHA1
dfd5887967a146fee1443b168c5b3a4392a525b0
-
SHA256
a64f19b56502ea2f64a13ef798bf7f096e45914f047d3565a5f21ca5125c0166
-
SHA512
96a33f1f46a3638d6252fd79f8848c1a7f89b8ca68ee4b242096edec6005e9203c4a3203731b7ccf11b1d537c1049a7845d959e7707d2add48fa33cece0b563d
Malware Config
Extracted
njrat
im523
da
0.tcp.ngrok.io:12926
8b37807561dd66634f141ff74bcb62fb
-
reg_key
8b37807561dd66634f141ff74bcb62fb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 324 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b37807561dd66634f141ff74bcb62fb.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b37807561dd66634f141ff74bcb62fb.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
06eb3d1ff3e1ed7223cf3a1e4b67b591.exepid process 1108 06eb3d1ff3e1ed7223cf3a1e4b67b591.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b37807561dd66634f141ff74bcb62fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8b37807561dd66634f141ff74bcb62fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe 324 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 324 svhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe Token: 33 324 svhost.exe Token: SeIncBasePriorityPrivilege 324 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
06eb3d1ff3e1ed7223cf3a1e4b67b591.exesvhost.exedescription pid process target process PID 1108 wrote to memory of 324 1108 06eb3d1ff3e1ed7223cf3a1e4b67b591.exe svhost.exe PID 1108 wrote to memory of 324 1108 06eb3d1ff3e1ed7223cf3a1e4b67b591.exe svhost.exe PID 1108 wrote to memory of 324 1108 06eb3d1ff3e1ed7223cf3a1e4b67b591.exe svhost.exe PID 1108 wrote to memory of 324 1108 06eb3d1ff3e1ed7223cf3a1e4b67b591.exe svhost.exe PID 324 wrote to memory of 1384 324 svhost.exe netsh.exe PID 324 wrote to memory of 1384 324 svhost.exe netsh.exe PID 324 wrote to memory of 1384 324 svhost.exe netsh.exe PID 324 wrote to memory of 1384 324 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eb3d1ff3e1ed7223cf3a1e4b67b591.exe"C:\Users\Admin\AppData\Local\Temp\06eb3d1ff3e1ed7223cf3a1e4b67b591.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE3⤵PID:1384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
06eb3d1ff3e1ed7223cf3a1e4b67b591
SHA1dfd5887967a146fee1443b168c5b3a4392a525b0
SHA256a64f19b56502ea2f64a13ef798bf7f096e45914f047d3565a5f21ca5125c0166
SHA51296a33f1f46a3638d6252fd79f8848c1a7f89b8ca68ee4b242096edec6005e9203c4a3203731b7ccf11b1d537c1049a7845d959e7707d2add48fa33cece0b563d
-
MD5
06eb3d1ff3e1ed7223cf3a1e4b67b591
SHA1dfd5887967a146fee1443b168c5b3a4392a525b0
SHA256a64f19b56502ea2f64a13ef798bf7f096e45914f047d3565a5f21ca5125c0166
SHA51296a33f1f46a3638d6252fd79f8848c1a7f89b8ca68ee4b242096edec6005e9203c4a3203731b7ccf11b1d537c1049a7845d959e7707d2add48fa33cece0b563d
-
MD5
06eb3d1ff3e1ed7223cf3a1e4b67b591
SHA1dfd5887967a146fee1443b168c5b3a4392a525b0
SHA256a64f19b56502ea2f64a13ef798bf7f096e45914f047d3565a5f21ca5125c0166
SHA51296a33f1f46a3638d6252fd79f8848c1a7f89b8ca68ee4b242096edec6005e9203c4a3203731b7ccf11b1d537c1049a7845d959e7707d2add48fa33cece0b563d