Analysis
-
max time kernel
157s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:24
Behavioral task
behavioral1
Sample
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe
Resource
win10v2004-20220414-en
General
-
Target
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe
-
Size
37KB
-
MD5
8bb066ff7083b2d7dff1b8a1bb47aaf7
-
SHA1
de6c13af77a76a74f54943415efd1fced38a6cc7
-
SHA256
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
-
SHA512
9d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
Malware Config
Extracted
njrat
im523
HacKed
antoniocometa.ddns.net:1604
bf2b934adc039f6f0c2d9ed3e3473fdf
-
reg_key
bf2b934adc039f6f0c2d9ed3e3473fdf
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1520 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf2b934adc039f6f0c2d9ed3e3473fdf.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf2b934adc039f6f0c2d9ed3e3473fdf.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf2b934adc039f6f0c2d9ed3e3473fdf = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bf2b934adc039f6f0c2d9ed3e3473fdf = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 340 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe 1520 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1520 svchost.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
svchost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1520 svchost.exe Token: SeDebugPrivilege 340 taskkill.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exesvchost.exedescription pid process target process PID 432 wrote to memory of 1520 432 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 432 wrote to memory of 1520 432 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 432 wrote to memory of 1520 432 8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe svchost.exe PID 1520 wrote to memory of 1720 1520 svchost.exe netsh.exe PID 1520 wrote to memory of 1720 1520 svchost.exe netsh.exe PID 1520 wrote to memory of 1720 1520 svchost.exe netsh.exe PID 1520 wrote to memory of 340 1520 svchost.exe taskkill.exe PID 1520 wrote to memory of 340 1520 svchost.exe taskkill.exe PID 1520 wrote to memory of 340 1520 svchost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe"C:\Users\Admin\AppData\Local\Temp\8835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM discord.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD58bb066ff7083b2d7dff1b8a1bb47aaf7
SHA1de6c13af77a76a74f54943415efd1fced38a6cc7
SHA2568835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
SHA5129d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD58bb066ff7083b2d7dff1b8a1bb47aaf7
SHA1de6c13af77a76a74f54943415efd1fced38a6cc7
SHA2568835ec76c748d7b3c28135d15c6d9b26028c06ca2daf6086a355f8ac1007a08e
SHA5129d326eaf23156eade7327e9a164eef1d774594bd8db9cdebb1ab4230b9321dc0b170b40c9b3bb5ba3268923ef2abf6a0700d0ebe0a8326779b67281b6db9a2aa
-
memory/340-136-0x0000000000000000-mapping.dmp
-
memory/432-130-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/1520-131-0x0000000000000000-mapping.dmp
-
memory/1520-134-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/1720-135-0x0000000000000000-mapping.dmp