Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 18:30
Static task
static1
Behavioral task
behavioral1
Sample
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
Resource
win10v2004-20220414-en
General
-
Target
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
-
Size
76KB
-
MD5
6ba4110a57c59dcbb40834a764696180
-
SHA1
8df62aafd0105f9bdf0b57caa4548ca8e9576b5b
-
SHA256
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d
-
SHA512
d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e
Malware Config
Extracted
njrat
0.7d
Youtube
194.33.45.46:4785
7cd689923ff88e7744796cbd311fd268
-
reg_key
7cd689923ff88e7744796cbd311fd268
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2188 svchost.exe 216 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7cd689923ff88e7744796cbd311fd268.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7cd689923ff88e7744796cbd311fd268.exe svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FiNYJrWaQB = "C:\\Users\\Admin\\AppData\\Roaming\\kYJMXmSfCe\\SiGzAXPnTd.exe" 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cd689923ff88e7744796cbd311fd268 = "\"C:\\ProgramData\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7cd689923ff88e7744796cbd311fd268 = "\"C:\\ProgramData\\svchost.exe\" .." svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exesvchost.exedescription pid process target process PID 4596 set thread context of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 2188 set thread context of 216 2188 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe Token: 33 216 svchost.exe Token: SeIncBasePriorityPrivilege 216 svchost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exesvchost.exesvchost.exedescription pid process target process PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4596 wrote to memory of 4392 4596 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe PID 4392 wrote to memory of 2188 4392 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe svchost.exe PID 4392 wrote to memory of 2188 4392 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe svchost.exe PID 4392 wrote to memory of 2188 4392 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 2188 wrote to memory of 216 2188 svchost.exe svchost.exe PID 216 wrote to memory of 1244 216 svchost.exe netsh.exe PID 216 wrote to memory of 1244 216 svchost.exe netsh.exe PID 216 wrote to memory of 1244 216 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe"C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe"C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost.exeFilesize
76KB
MD56ba4110a57c59dcbb40834a764696180
SHA18df62aafd0105f9bdf0b57caa4548ca8e9576b5b
SHA2564a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d
SHA512d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e
-
C:\ProgramData\svchost.exeFilesize
76KB
MD56ba4110a57c59dcbb40834a764696180
SHA18df62aafd0105f9bdf0b57caa4548ca8e9576b5b
SHA2564a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d
SHA512d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e
-
C:\ProgramData\svchost.exeFilesize
76KB
MD56ba4110a57c59dcbb40834a764696180
SHA18df62aafd0105f9bdf0b57caa4548ca8e9576b5b
SHA2564a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d
SHA512d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe.logFilesize
418B
MD589c8a5340eb284f551067d44e27ae8dd
SHA1d2431ae25a1ab67762a5125574f046f4c951d297
SHA25673ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b
SHA512b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
418B
MD589c8a5340eb284f551067d44e27ae8dd
SHA1d2431ae25a1ab67762a5125574f046f4c951d297
SHA25673ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b
SHA512b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac
-
memory/216-139-0x0000000000000000-mapping.dmp
-
memory/216-145-0x0000000005E50000-0x0000000005E5A000-memory.dmpFilesize
40KB
-
memory/216-144-0x0000000005EB0000-0x0000000005F42000-memory.dmpFilesize
584KB
-
memory/1244-143-0x0000000000000000-mapping.dmp
-
memory/2188-136-0x0000000000000000-mapping.dmp
-
memory/4392-134-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4392-133-0x0000000000000000-mapping.dmp
-
memory/4596-130-0x00000000003E0000-0x00000000003F8000-memory.dmpFilesize
96KB
-
memory/4596-132-0x00000000053B0000-0x0000000005954000-memory.dmpFilesize
5.6MB
-
memory/4596-131-0x0000000004D30000-0x0000000004DCC000-memory.dmpFilesize
624KB