Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:24
Behavioral task
behavioral1
Sample
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe
Resource
win10v2004-20220414-en
General
-
Target
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe
-
Size
37KB
-
MD5
8bb066ff7083b2d7dff1b8a1bb47aaf7
-
SHA1
de6c13af77a76a74f54943415efd1fced38a6cc7
-
SHA256
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
-
SHA512
9d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
Malware Config
Extracted
njrat
im523
HacKed
antoniocometa.ddns.net:1604
bf2b934adc039f6f0c2d9ed3e3473fdf
-
reg_key
bf2b934adc039f6f0c2d9ed3e3473fdf
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1632 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf2b934adc039f6f0c2d9ed3e3473fdf.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf2b934adc039f6f0c2d9ed3e3473fdf.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exepid process 1972 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\bf2b934adc039f6f0c2d9ed3e3473fdf = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bf2b934adc039f6f0c2d9ed3e3473fdf = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 864 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe 1632 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1632 svchost.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
svchost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1632 svchost.exe Token: SeDebugPrivilege 864 taskkill.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe Token: 33 1632 svchost.exe Token: SeIncBasePriorityPrivilege 1632 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exesvchost.exedescription pid process target process PID 1972 wrote to memory of 1632 1972 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 1972 wrote to memory of 1632 1972 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 1972 wrote to memory of 1632 1972 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 1972 wrote to memory of 1632 1972 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 1632 wrote to memory of 1308 1632 svchost.exe netsh.exe PID 1632 wrote to memory of 1308 1632 svchost.exe netsh.exe PID 1632 wrote to memory of 1308 1632 svchost.exe netsh.exe PID 1632 wrote to memory of 1308 1632 svchost.exe netsh.exe PID 1632 wrote to memory of 864 1632 svchost.exe taskkill.exe PID 1632 wrote to memory of 864 1632 svchost.exe taskkill.exe PID 1632 wrote to memory of 864 1632 svchost.exe taskkill.exe PID 1632 wrote to memory of 864 1632 svchost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe"C:\Users\Admin\AppData\Local\Temp\8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM discord.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD58bb066ff7083b2d7dff1b8a1bb47aaf7
SHA1de6c13af77a76a74f54943415efd1fced38a6cc7
SHA2568835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
SHA5129d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD58bb066ff7083b2d7dff1b8a1bb47aaf7
SHA1de6c13af77a76a74f54943415efd1fced38a6cc7
SHA2568835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
SHA5129d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD58bb066ff7083b2d7dff1b8a1bb47aaf7
SHA1de6c13af77a76a74f54943415efd1fced38a6cc7
SHA2568835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
SHA5129d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
-
memory/864-63-0x0000000000000000-mapping.dmp
-
memory/1308-62-0x0000000000000000-mapping.dmp
-
memory/1632-57-0x0000000000000000-mapping.dmp
-
memory/1632-61-0x0000000074BF0000-0x000000007519B000-memory.dmpFilesize
5.7MB
-
memory/1972-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1972-55-0x0000000074BF0000-0x000000007519B000-memory.dmpFilesize
5.7MB