Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 18:29
Behavioral task
behavioral1
Sample
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe
Resource
win10v2004-20220414-en
General
-
Target
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe
-
Size
37KB
-
MD5
85972855ff977c521b1a717a32593fdd
-
SHA1
b0144dfb8130083922e35b70152edd83739359a9
-
SHA256
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
-
SHA512
1c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
Malware Config
Extracted
njrat
im523
HacKer
91.232.111.212:7777
47f152bbb0d9981b492589085b7b7e18
-
reg_key
47f152bbb0d9981b492589085b7b7e18
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1568 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 828 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe 1568 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 1568 svhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1568 svhost.exe Token: SeDebugPrivilege 828 taskkill.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe Token: 33 1568 svhost.exe Token: SeIncBasePriorityPrivilege 1568 svhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exesvhost.exedescription pid process target process PID 4728 wrote to memory of 1568 4728 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 4728 wrote to memory of 1568 4728 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 4728 wrote to memory of 1568 4728 4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe svhost.exe PID 1568 wrote to memory of 4676 1568 svhost.exe netsh.exe PID 1568 wrote to memory of 4676 1568 svhost.exe netsh.exe PID 1568 wrote to memory of 4676 1568 svhost.exe netsh.exe PID 1568 wrote to memory of 828 1568 svhost.exe taskkill.exe PID 1568 wrote to memory of 828 1568 svhost.exe taskkill.exe PID 1568 wrote to memory of 828 1568 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe"C:\Users\Admin\AppData\Local\Temp\4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
memory/828-136-0x0000000000000000-mapping.dmp
-
memory/1568-131-0x0000000000000000-mapping.dmp
-
memory/1568-134-0x0000000075460000-0x0000000075A11000-memory.dmpFilesize
5.7MB
-
memory/4676-135-0x0000000000000000-mapping.dmp
-
memory/4728-130-0x0000000075460000-0x0000000075A11000-memory.dmpFilesize
5.7MB