Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 18:29
Behavioral task
behavioral1
Sample
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe
Resource
win10v2004-20220414-en
General
-
Target
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe
-
Size
37KB
-
MD5
85972855ff977c521b1a717a32593fdd
-
SHA1
b0144dfb8130083922e35b70152edd83739359a9
-
SHA256
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
-
SHA512
1c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
Malware Config
Extracted
njrat
im523
HacKer
91.232.111.212:7777
47f152bbb0d9981b492589085b7b7e18
-
reg_key
47f152bbb0d9981b492589085b7b7e18
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2008 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exepid process 1412 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1716 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe 2008 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2008 svhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2008 svhost.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe Token: 33 2008 svhost.exe Token: SeIncBasePriorityPrivilege 2008 svhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exesvhost.exedescription pid process target process PID 1412 wrote to memory of 2008 1412 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 1412 wrote to memory of 2008 1412 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 1412 wrote to memory of 2008 1412 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 1412 wrote to memory of 2008 1412 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 2008 wrote to memory of 1236 2008 svhost.exe netsh.exe PID 2008 wrote to memory of 1236 2008 svhost.exe netsh.exe PID 2008 wrote to memory of 1236 2008 svhost.exe netsh.exe PID 2008 wrote to memory of 1236 2008 svhost.exe netsh.exe PID 2008 wrote to memory of 1716 2008 svhost.exe taskkill.exe PID 2008 wrote to memory of 1716 2008 svhost.exe taskkill.exe PID 2008 wrote to memory of 1716 2008 svhost.exe taskkill.exe PID 2008 wrote to memory of 1716 2008 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe"C:\Users\Admin\AppData\Local\Temp\4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
memory/1236-62-0x0000000000000000-mapping.dmp
-
memory/1412-54-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/1412-55-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1716-63-0x0000000000000000-mapping.dmp
-
memory/2008-57-0x0000000000000000-mapping.dmp
-
memory/2008-61-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB