Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe
Resource
win10v2004-20220414-en
General
-
Target
1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe
-
Size
32KB
-
MD5
5f1f482c1244682a829e224aa40e6de3
-
SHA1
69d8bf75600c47ca57b2fd89d21d27c2c58365ad
-
SHA256
1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
-
SHA512
c2a4ea72edc7f15a1d613cc08f2eee8b343ceae48021c8edccaa79a52f06502c0dad55410d4e92a6592b5fbd2a1b7d9c7f7af480ab0b6f26ee15422b0cdd9738
Malware Config
Extracted
njrat
0.7d
Zombie
112.166.177.15:1
b7df430e3057c59320a80e9e06fb22b0
-
reg_key
b7df430e3057c59320a80e9e06fb22b0
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1140 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exepid process 1380 1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7df430e3057c59320a80e9e06fb22b0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b7df430e3057c59320a80e9e06fb22b0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe Token: 33 1140 svchost.exe Token: SeIncBasePriorityPrivilege 1140 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exesvchost.exedescription pid process target process PID 1380 wrote to memory of 1140 1380 1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe svchost.exe PID 1380 wrote to memory of 1140 1380 1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe svchost.exe PID 1380 wrote to memory of 1140 1380 1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe svchost.exe PID 1380 wrote to memory of 1140 1380 1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe svchost.exe PID 1140 wrote to memory of 1952 1140 svchost.exe netsh.exe PID 1140 wrote to memory of 1952 1140 svchost.exe netsh.exe PID 1140 wrote to memory of 1952 1140 svchost.exe netsh.exe PID 1140 wrote to memory of 1952 1140 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe"C:\Users\Admin\AppData\Local\Temp\1400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
32KB
MD55f1f482c1244682a829e224aa40e6de3
SHA169d8bf75600c47ca57b2fd89d21d27c2c58365ad
SHA2561400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
SHA512c2a4ea72edc7f15a1d613cc08f2eee8b343ceae48021c8edccaa79a52f06502c0dad55410d4e92a6592b5fbd2a1b7d9c7f7af480ab0b6f26ee15422b0cdd9738
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
32KB
MD55f1f482c1244682a829e224aa40e6de3
SHA169d8bf75600c47ca57b2fd89d21d27c2c58365ad
SHA2561400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
SHA512c2a4ea72edc7f15a1d613cc08f2eee8b343ceae48021c8edccaa79a52f06502c0dad55410d4e92a6592b5fbd2a1b7d9c7f7af480ab0b6f26ee15422b0cdd9738
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
32KB
MD55f1f482c1244682a829e224aa40e6de3
SHA169d8bf75600c47ca57b2fd89d21d27c2c58365ad
SHA2561400ae6d8a0b2541840bf42af5f697e6a544a1574c75d23faab4cd92137e0034
SHA512c2a4ea72edc7f15a1d613cc08f2eee8b343ceae48021c8edccaa79a52f06502c0dad55410d4e92a6592b5fbd2a1b7d9c7f7af480ab0b6f26ee15422b0cdd9738
-
memory/1140-58-0x0000000000000000-mapping.dmp
-
memory/1140-61-0x0000000000110000-0x000000000011E000-memory.dmpFilesize
56KB
-
memory/1380-54-0x0000000000AA0000-0x0000000000AAE000-memory.dmpFilesize
56KB
-
memory/1380-55-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1380-56-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-63-0x0000000000000000-mapping.dmp