Analysis
-
max time kernel
151s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:10
Behavioral task
behavioral1
Sample
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe
Resource
win7-20220414-en
General
-
Target
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe
-
Size
29KB
-
MD5
977dbc36f17b3a6f4a0f4efb01391dd2
-
SHA1
e6a49e5405d3e94825920b84ace9bcb4b7c53731
-
SHA256
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
-
SHA512
6e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
Malware Config
Extracted
njrat
0.6.4
HacKed
yekihackers.ddns.net:2020
ba4c12bee3027d94da5c81db2d196bfd
-
reg_key
ba4c12bee3027d94da5c81db2d196bfd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1016 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exepid process 1964 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
svchost.exepid process 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe 1016 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1016 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exesvchost.exedescription pid process target process PID 1964 wrote to memory of 1016 1964 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe PID 1964 wrote to memory of 1016 1964 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe PID 1964 wrote to memory of 1016 1964 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe PID 1964 wrote to memory of 1016 1964 df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe svchost.exe PID 1016 wrote to memory of 2040 1016 svchost.exe netsh.exe PID 1016 wrote to memory of 2040 1016 svchost.exe netsh.exe PID 1016 wrote to memory of 2040 1016 svchost.exe netsh.exe PID 1016 wrote to memory of 2040 1016 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe"C:\Users\Admin\AppData\Local\Temp\df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
29KB
MD5977dbc36f17b3a6f4a0f4efb01391dd2
SHA1e6a49e5405d3e94825920b84ace9bcb4b7c53731
SHA256df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
SHA5126e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
29KB
MD5977dbc36f17b3a6f4a0f4efb01391dd2
SHA1e6a49e5405d3e94825920b84ace9bcb4b7c53731
SHA256df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
SHA5126e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
29KB
MD5977dbc36f17b3a6f4a0f4efb01391dd2
SHA1e6a49e5405d3e94825920b84ace9bcb4b7c53731
SHA256df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
SHA5126e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549
-
memory/1016-56-0x0000000000000000-mapping.dmp
-
memory/1016-62-0x0000000074B50000-0x00000000750FB000-memory.dmpFilesize
5.7MB
-
memory/1016-64-0x0000000074B50000-0x00000000750FB000-memory.dmpFilesize
5.7MB
-
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/1964-61-0x0000000074B50000-0x00000000750FB000-memory.dmpFilesize
5.7MB
-
memory/2040-60-0x0000000000000000-mapping.dmp