Analysis
-
max time kernel
188s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:40
Behavioral task
behavioral1
Sample
142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe
Resource
win10v2004-20220414-en
General
-
Target
142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe
-
Size
37KB
-
MD5
01e68b10abe9efeb75603ea26c75242f
-
SHA1
5d5b45d5a08801c03c2068f753ab4a41ddf71966
-
SHA256
142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841
-
SHA512
aa3fbbf3bc270ab13a087ebe954e082bfb55d9040980e2f5f8f505fbd9fec93000485cbef42dc0b62bd01207b5bae7a38e8bb0cf01285c0a57bae2dc6e863db3
Malware Config
Extracted
njrat
im523
HacKed
z1cker.ddns.net:9219
7dd52bc3c44b5e589ee15a6885becb3e
-
reg_key
7dd52bc3c44b5e589ee15a6885becb3e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svch0st.exepid process 4052 svch0st.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe -
Drops startup file 2 IoCs
Processes:
svch0st.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7dd52bc3c44b5e589ee15a6885becb3e.exe svch0st.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7dd52bc3c44b5e589ee15a6885becb3e.exe svch0st.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svch0st.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7dd52bc3c44b5e589ee15a6885becb3e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svch0st.exe\" .." svch0st.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7dd52bc3c44b5e589ee15a6885becb3e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svch0st.exe\" .." svch0st.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svch0st.exepid process 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe 4052 svch0st.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svch0st.exepid process 4052 svch0st.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
svch0st.exedescription pid process Token: SeDebugPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe Token: 33 4052 svch0st.exe Token: SeIncBasePriorityPrivilege 4052 svch0st.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exesvch0st.exedescription pid process target process PID 2548 wrote to memory of 4052 2548 142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe svch0st.exe PID 2548 wrote to memory of 4052 2548 142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe svch0st.exe PID 2548 wrote to memory of 4052 2548 142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe svch0st.exe PID 4052 wrote to memory of 3160 4052 svch0st.exe netsh.exe PID 4052 wrote to memory of 3160 4052 svch0st.exe netsh.exe PID 4052 wrote to memory of 3160 4052 svch0st.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe"C:\Users\Admin\AppData\Local\Temp\142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svch0st.exe"C:\Users\Admin\AppData\Local\Temp\svch0st.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svch0st.exe" "svch0st.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svch0st.exeFilesize
37KB
MD501e68b10abe9efeb75603ea26c75242f
SHA15d5b45d5a08801c03c2068f753ab4a41ddf71966
SHA256142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841
SHA512aa3fbbf3bc270ab13a087ebe954e082bfb55d9040980e2f5f8f505fbd9fec93000485cbef42dc0b62bd01207b5bae7a38e8bb0cf01285c0a57bae2dc6e863db3
-
C:\Users\Admin\AppData\Local\Temp\svch0st.exeFilesize
37KB
MD501e68b10abe9efeb75603ea26c75242f
SHA15d5b45d5a08801c03c2068f753ab4a41ddf71966
SHA256142794b66b8708fa0f8dffb82a624a33abeddb22ac2a9b5442957a7aef22d841
SHA512aa3fbbf3bc270ab13a087ebe954e082bfb55d9040980e2f5f8f505fbd9fec93000485cbef42dc0b62bd01207b5bae7a38e8bb0cf01285c0a57bae2dc6e863db3
-
memory/2548-130-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/3160-135-0x0000000000000000-mapping.dmp
-
memory/4052-131-0x0000000000000000-mapping.dmp
-
memory/4052-134-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB