Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
27-07-2022 06:21
Behavioral task
behavioral1
Sample
009f8928b2e3dbdaec6c166e820445d0.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
009f8928b2e3dbdaec6c166e820445d0.exe
Resource
win10v2004-20220721-en
Errors
General
-
Target
009f8928b2e3dbdaec6c166e820445d0.exe
-
Size
37KB
-
MD5
009f8928b2e3dbdaec6c166e820445d0
-
SHA1
ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
-
SHA256
952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
-
SHA512
3bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
Malware Config
Extracted
njrat
im523
HacKed
eidnafa522.ddns.net:5552
4a7bbceff6cedc909e9ef3cb6a805541
-
reg_key
4a7bbceff6cedc909e9ef3cb6a805541
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 992 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a7bbceff6cedc909e9ef3cb6a805541.exe svhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a7bbceff6cedc909e9ef3cb6a805541.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
009f8928b2e3dbdaec6c166e820445d0.exepid process 608 009f8928b2e3dbdaec6c166e820445d0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a7bbceff6cedc909e9ef3cb6a805541 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4a7bbceff6cedc909e9ef3cb6a805541 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
svhost.exeshutdown.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 992 svhost.exe Token: 33 992 svhost.exe Token: SeIncBasePriorityPrivilege 992 svhost.exe Token: 33 992 svhost.exe Token: SeIncBasePriorityPrivilege 992 svhost.exe Token: 33 992 svhost.exe Token: SeIncBasePriorityPrivilege 992 svhost.exe Token: 33 992 svhost.exe Token: SeIncBasePriorityPrivilege 992 svhost.exe Token: 33 992 svhost.exe Token: SeIncBasePriorityPrivilege 992 svhost.exe Token: SeShutdownPrivilege 1816 shutdown.exe Token: SeRemoteShutdownPrivilege 1816 shutdown.exe Token: 33 320 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 320 AUDIODG.EXE Token: 33 320 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 320 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
009f8928b2e3dbdaec6c166e820445d0.exesvhost.exedescription pid process target process PID 608 wrote to memory of 992 608 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 608 wrote to memory of 992 608 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 608 wrote to memory of 992 608 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 608 wrote to memory of 992 608 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 992 wrote to memory of 1356 992 svhost.exe netsh.exe PID 992 wrote to memory of 1356 992 svhost.exe netsh.exe PID 992 wrote to memory of 1356 992 svhost.exe netsh.exe PID 992 wrote to memory of 1356 992 svhost.exe netsh.exe PID 992 wrote to memory of 1816 992 svhost.exe shutdown.exe PID 992 wrote to memory of 1816 992 svhost.exe shutdown.exe PID 992 wrote to memory of 1816 992 svhost.exe shutdown.exe PID 992 wrote to memory of 1816 992 svhost.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\009f8928b2e3dbdaec6c166e820445d0.exe"C:\Users\Admin\AppData\Local\Temp\009f8928b2e3dbdaec6c166e820445d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 003⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD5009f8928b2e3dbdaec6c166e820445d0
SHA1ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
SHA256952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
SHA5123bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD5009f8928b2e3dbdaec6c166e820445d0
SHA1ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
SHA256952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
SHA5123bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
-
\Users\Admin\svhost.exeFilesize
37KB
MD5009f8928b2e3dbdaec6c166e820445d0
SHA1ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
SHA256952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
SHA5123bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
-
memory/608-61-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/608-55-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/608-54-0x00000000768F1000-0x00000000768F3000-memory.dmpFilesize
8KB
-
memory/992-57-0x0000000000000000-mapping.dmp
-
memory/992-62-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/992-65-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/992-68-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/1136-67-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB
-
memory/1356-63-0x0000000000000000-mapping.dmp
-
memory/1816-66-0x0000000000000000-mapping.dmp