Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe
Resource
win10v2004-20220414-en
General
-
Target
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe
-
Size
54KB
-
MD5
0b0be038a905dfbdd3c957664f7567e7
-
SHA1
05c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
-
SHA256
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
-
SHA512
cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
Malware Config
Extracted
njrat
0.6.4
<<%M%>>
ihebmokhles.no-ip.org:1177
854084595525f7929d7da906e0d2d84a
-
reg_key
854084595525f7929d7da906e0d2d84a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Svhost.exepid process 1632 Svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854084595525f7929d7da906e0d2d84a.exe Svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854084595525f7929d7da906e0d2d84a.exe Svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\854084595525f7929d7da906e0d2d84a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Svhost.exe\" .." Svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\854084595525f7929d7da906e0d2d84a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Svhost.exe\" .." Svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Svhost.exepid process 1632 Svhost.exe 1632 Svhost.exe 1632 Svhost.exe 1632 Svhost.exe 1632 Svhost.exe 1632 Svhost.exe 1632 Svhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Svhost.exedescription pid process Token: SeDebugPrivilege 1632 Svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exeSvhost.exedescription pid process target process PID 2020 wrote to memory of 1632 2020 fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe Svhost.exe PID 2020 wrote to memory of 1632 2020 fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe Svhost.exe PID 2020 wrote to memory of 1632 2020 fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe Svhost.exe PID 1632 wrote to memory of 804 1632 Svhost.exe netsh.exe PID 1632 wrote to memory of 804 1632 Svhost.exe netsh.exe PID 1632 wrote to memory of 804 1632 Svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe"C:\Users\Admin\AppData\Local\Temp\fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exe"C:\Users\Admin\AppData\Local\Temp\Svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Svhost.exe" "Svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exeFilesize
54KB
MD50b0be038a905dfbdd3c957664f7567e7
SHA105c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
SHA256fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
SHA512cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exeFilesize
54KB
MD50b0be038a905dfbdd3c957664f7567e7
SHA105c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
SHA256fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
SHA512cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
-
memory/804-62-0x0000000000000000-mapping.dmp
-
memory/1632-57-0x0000000000000000-mapping.dmp
-
memory/1632-60-0x0000000000050000-0x0000000000064000-memory.dmpFilesize
80KB
-
memory/1632-64-0x000000001A976000-0x000000001A995000-memory.dmpFilesize
124KB
-
memory/2020-54-0x0000000000CA0000-0x0000000000CB4000-memory.dmpFilesize
80KB
-
memory/2020-55-0x000007FEFC341000-0x000007FEFC343000-memory.dmpFilesize
8KB
-
memory/2020-56-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB