Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
Resource
win10v2004-20220414-en
General
-
Target
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
-
Size
37KB
-
MD5
743023f77b99de007c69bf2a5f6691d7
-
SHA1
d5f800818615f581f207a65c04ad76510724da72
-
SHA256
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
-
SHA512
c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
Malware Config
Extracted
njrat
im523
svhost.exe
91.219.28.11:5552
4c358cdc78434d13514be8b97373756a
-
reg_key
4c358cdc78434d13514be8b97373756a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4736 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c358cdc78434d13514be8b97373756a.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c358cdc78434d13514be8b97373756a.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c358cdc78434d13514be8b97373756a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4c358cdc78434d13514be8b97373756a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe 4736 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 4736 svhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe Token: 33 4736 svhost.exe Token: SeIncBasePriorityPrivilege 4736 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exesvhost.exedescription pid process target process PID 460 wrote to memory of 4736 460 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 460 wrote to memory of 4736 460 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 460 wrote to memory of 4736 460 2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe svhost.exe PID 4736 wrote to memory of 4492 4736 svhost.exe netsh.exe PID 4736 wrote to memory of 4492 4736 svhost.exe netsh.exe PID 4736 wrote to memory of 4492 4736 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe"C:\Users\Admin\AppData\Local\Temp\2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
memory/460-131-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/460-135-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/4492-137-0x0000000000000000-mapping.dmp
-
memory/4736-132-0x0000000000000000-mapping.dmp
-
memory/4736-136-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/4736-138-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB