Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 16:16
Behavioral task
behavioral1
Sample
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe
Resource
win10v2004-20220414-en
General
-
Target
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe
-
Size
23KB
-
MD5
ca64a9c11199bbd232c737eb34117e0f
-
SHA1
44427cc753e8f1cda936970605885010772c4697
-
SHA256
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
-
SHA512
6d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
Malware Config
Extracted
njrat
0.7d
HacKed
securit.linkpc.net:10156
d3cb74d223b66e1c3aebf64e3aa2b4d1
-
reg_key
d3cb74d223b66e1c3aebf64e3aa2b4d1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1984 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exepid process 2044 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\d3cb74d223b66e1c3aebf64e3aa2b4d1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d3cb74d223b66e1c3aebf64e3aa2b4d1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe Token: 33 1984 svhost.exe Token: SeIncBasePriorityPrivilege 1984 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exesvhost.exedescription pid process target process PID 2044 wrote to memory of 1984 2044 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 2044 wrote to memory of 1984 2044 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 2044 wrote to memory of 1984 2044 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 2044 wrote to memory of 1984 2044 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 1984 wrote to memory of 1624 1984 svhost.exe netsh.exe PID 1984 wrote to memory of 1624 1984 svhost.exe netsh.exe PID 1984 wrote to memory of 1624 1984 svhost.exe netsh.exe PID 1984 wrote to memory of 1624 1984 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe"C:\Users\Admin\AppData\Local\Temp\3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD5ca64a9c11199bbd232c737eb34117e0f
SHA144427cc753e8f1cda936970605885010772c4697
SHA2563b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
SHA5126d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD5ca64a9c11199bbd232c737eb34117e0f
SHA144427cc753e8f1cda936970605885010772c4697
SHA2563b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
SHA5126d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
-
\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD5ca64a9c11199bbd232c737eb34117e0f
SHA144427cc753e8f1cda936970605885010772c4697
SHA2563b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
SHA5126d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
-
memory/1624-63-0x0000000000000000-mapping.dmp
-
memory/1984-57-0x0000000000000000-mapping.dmp
-
memory/1984-62-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1984-65-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/2044-55-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/2044-61-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB