Analysis
-
max time kernel
172s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
Resource
win10v2004-20220414-en
General
-
Target
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
-
Size
37KB
-
MD5
743023f77b99de007c69bf2a5f6691d7
-
SHA1
d5f800818615f581f207a65c04ad76510724da72
-
SHA256
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
-
SHA512
c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
Malware Config
Extracted
njrat
im523
svhost.exe
91.219.28.11:5552
4c358cdc78434d13514be8b97373756a
-
reg_key
4c358cdc78434d13514be8b97373756a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 976 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c358cdc78434d13514be8b97373756a.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c358cdc78434d13514be8b97373756a.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exepid process 1996 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c358cdc78434d13514be8b97373756a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4c358cdc78434d13514be8b97373756a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe 976 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 976 svhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe Token: 33 976 svhost.exe Token: SeIncBasePriorityPrivilege 976 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exesvhost.exedescription pid process target process PID 1996 wrote to memory of 976 1996 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 1996 wrote to memory of 976 1996 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 1996 wrote to memory of 976 1996 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 1996 wrote to memory of 976 1996 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 976 wrote to memory of 1728 976 svhost.exe netsh.exe PID 976 wrote to memory of 1728 976 svhost.exe netsh.exe PID 976 wrote to memory of 1728 976 svhost.exe netsh.exe PID 976 wrote to memory of 1728 976 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe"C:\Users\Admin\AppData\Local\Temp\2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
memory/976-57-0x0000000000000000-mapping.dmp
-
memory/976-62-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/976-65-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/1728-63-0x0000000000000000-mapping.dmp
-
memory/1996-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/1996-61-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB