Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 16:16
Behavioral task
behavioral1
Sample
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe
Resource
win10v2004-20220414-en
General
-
Target
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe
-
Size
23KB
-
MD5
ca64a9c11199bbd232c737eb34117e0f
-
SHA1
44427cc753e8f1cda936970605885010772c4697
-
SHA256
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
-
SHA512
6d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
Malware Config
Extracted
njrat
0.7d
HacKed
securit.linkpc.net:10156
d3cb74d223b66e1c3aebf64e3aa2b4d1
-
reg_key
d3cb74d223b66e1c3aebf64e3aa2b4d1
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4700 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3cb74d223b66e1c3aebf64e3aa2b4d1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d3cb74d223b66e1c3aebf64e3aa2b4d1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{287D8A79-DEB4-4B19-83EE-21EF4BDE5159}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E4AD6B4F-5F9D-4B9F-8C9B-0EEFEA2DC2F0}.catalogItem svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe Token: 33 4700 svhost.exe Token: SeIncBasePriorityPrivilege 4700 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exesvhost.exedescription pid process target process PID 4420 wrote to memory of 4700 4420 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 4420 wrote to memory of 4700 4420 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 4420 wrote to memory of 4700 4420 3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe svhost.exe PID 4700 wrote to memory of 1592 4700 svhost.exe netsh.exe PID 4700 wrote to memory of 1592 4700 svhost.exe netsh.exe PID 4700 wrote to memory of 1592 4700 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe"C:\Users\Admin\AppData\Local\Temp\3b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD5ca64a9c11199bbd232c737eb34117e0f
SHA144427cc753e8f1cda936970605885010772c4697
SHA2563b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
SHA5126d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
23KB
MD5ca64a9c11199bbd232c737eb34117e0f
SHA144427cc753e8f1cda936970605885010772c4697
SHA2563b7f64b59e1472ab72c20b43f636002c87b58799da6388869a8b872e7316c08b
SHA5126d44d971dc16c3b52cf853f999c7fa212d478081d76b463db98858e3bccd040e7368d1667706b032675644b80d06ae3c3032e03475f0e23417607abbcaa5c126
-
memory/1592-137-0x0000000000000000-mapping.dmp
-
memory/4420-130-0x0000000074CC0000-0x0000000075271000-memory.dmpFilesize
5.7MB
-
memory/4420-131-0x0000000074CC0000-0x0000000075271000-memory.dmpFilesize
5.7MB
-
memory/4420-136-0x0000000074CC0000-0x0000000075271000-memory.dmpFilesize
5.7MB
-
memory/4700-132-0x0000000000000000-mapping.dmp
-
memory/4700-135-0x0000000074CC0000-0x0000000075271000-memory.dmpFilesize
5.7MB
-
memory/4700-138-0x0000000074CC0000-0x0000000075271000-memory.dmpFilesize
5.7MB