Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:41
Behavioral task
behavioral1
Sample
038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe
Resource
win10v2004-20220414-en
General
-
Target
038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe
-
Size
37KB
-
MD5
145b95efd39cef2d32af0809261b788a
-
SHA1
094585413da93422445b0f7ba1eb16e42a349837
-
SHA256
038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a
-
SHA512
4754164a7324ba148f817c6510c1c0f5773bab814e49be186bc2c232e2f558e19908fd50133955c7d6d70292ea6c414c76b014417e430153b6bc5f5a12ace842
Malware Config
Extracted
njrat
im523
HacKed
kamenshik222.hopto.org:1604
d36b0d643b8950fbdfbfedccba217a77
-
reg_key
d36b0d643b8950fbdfbfedccba217a77
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1688 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d36b0d643b8950fbdfbfedccba217a77.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d36b0d643b8950fbdfbfedccba217a77.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exepid process 1948 038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\d36b0d643b8950fbdfbfedccba217a77 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d36b0d643b8950fbdfbfedccba217a77 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1276 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1688 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
svchost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1688 svchost.exe Token: SeDebugPrivilege 1276 taskkill.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe Token: 33 1688 svchost.exe Token: SeIncBasePriorityPrivilege 1688 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exesvchost.exedescription pid process target process PID 1948 wrote to memory of 1688 1948 038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe svchost.exe PID 1948 wrote to memory of 1688 1948 038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe svchost.exe PID 1948 wrote to memory of 1688 1948 038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe svchost.exe PID 1948 wrote to memory of 1688 1948 038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe svchost.exe PID 1688 wrote to memory of 1380 1688 svchost.exe netsh.exe PID 1688 wrote to memory of 1380 1688 svchost.exe netsh.exe PID 1688 wrote to memory of 1380 1688 svchost.exe netsh.exe PID 1688 wrote to memory of 1380 1688 svchost.exe netsh.exe PID 1688 wrote to memory of 1276 1688 svchost.exe taskkill.exe PID 1688 wrote to memory of 1276 1688 svchost.exe taskkill.exe PID 1688 wrote to memory of 1276 1688 svchost.exe taskkill.exe PID 1688 wrote to memory of 1276 1688 svchost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe"C:\Users\Admin\AppData\Local\Temp\038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WindiwsDefender3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD5145b95efd39cef2d32af0809261b788a
SHA1094585413da93422445b0f7ba1eb16e42a349837
SHA256038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a
SHA5124754164a7324ba148f817c6510c1c0f5773bab814e49be186bc2c232e2f558e19908fd50133955c7d6d70292ea6c414c76b014417e430153b6bc5f5a12ace842
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD5145b95efd39cef2d32af0809261b788a
SHA1094585413da93422445b0f7ba1eb16e42a349837
SHA256038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a
SHA5124754164a7324ba148f817c6510c1c0f5773bab814e49be186bc2c232e2f558e19908fd50133955c7d6d70292ea6c414c76b014417e430153b6bc5f5a12ace842
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD5145b95efd39cef2d32af0809261b788a
SHA1094585413da93422445b0f7ba1eb16e42a349837
SHA256038e4309bfb4abdeac86b64093eeac3cce5bb1b7a22d9850c17713a3542f069a
SHA5124754164a7324ba148f817c6510c1c0f5773bab814e49be186bc2c232e2f558e19908fd50133955c7d6d70292ea6c414c76b014417e430153b6bc5f5a12ace842
-
memory/1276-63-0x0000000000000000-mapping.dmp
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1688-57-0x0000000000000000-mapping.dmp
-
memory/1688-61-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/1948-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1948-55-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB