Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2022 06:21
Behavioral task
behavioral1
Sample
009f8928b2e3dbdaec6c166e820445d0.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
009f8928b2e3dbdaec6c166e820445d0.exe
Resource
win10v2004-20220721-en
General
-
Target
009f8928b2e3dbdaec6c166e820445d0.exe
-
Size
37KB
-
MD5
009f8928b2e3dbdaec6c166e820445d0
-
SHA1
ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
-
SHA256
952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
-
SHA512
3bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
Malware Config
Extracted
njrat
im523
HacKed
eidnafa522.ddns.net:5552
4a7bbceff6cedc909e9ef3cb6a805541
-
reg_key
4a7bbceff6cedc909e9ef3cb6a805541
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4704 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
009f8928b2e3dbdaec6c166e820445d0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 009f8928b2e3dbdaec6c166e820445d0.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a7bbceff6cedc909e9ef3cb6a805541.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a7bbceff6cedc909e9ef3cb6a805541.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a7bbceff6cedc909e9ef3cb6a805541 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a7bbceff6cedc909e9ef3cb6a805541 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe Token: 33 4704 svhost.exe Token: SeIncBasePriorityPrivilege 4704 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
009f8928b2e3dbdaec6c166e820445d0.exesvhost.exedescription pid process target process PID 4364 wrote to memory of 4704 4364 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 4364 wrote to memory of 4704 4364 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 4364 wrote to memory of 4704 4364 009f8928b2e3dbdaec6c166e820445d0.exe svhost.exe PID 4704 wrote to memory of 4464 4704 svhost.exe netsh.exe PID 4704 wrote to memory of 4464 4704 svhost.exe netsh.exe PID 4704 wrote to memory of 4464 4704 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\009f8928b2e3dbdaec6c166e820445d0.exe"C:\Users\Admin\AppData\Local\Temp\009f8928b2e3dbdaec6c166e820445d0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD5009f8928b2e3dbdaec6c166e820445d0
SHA1ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
SHA256952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
SHA5123bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD5009f8928b2e3dbdaec6c166e820445d0
SHA1ed3b5e68ab721ab7c7d6417c335fd85d3d2a1315
SHA256952f0f0f9b522fd3b8f764d5a84cf23c7cfcf412eb5bce8ba48fae3e19887047
SHA5123bdbb4f199e22c4b18d3533da23bfa2d1e8b3c25d7a2014e1e7cc73b860abee85083a4c047fdc48d2e1fa8cc5bdab24277bd5a3288c72629d700befcf8256506
-
memory/4364-130-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/4364-134-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/4464-136-0x0000000000000000-mapping.dmp
-
memory/4704-131-0x0000000000000000-mapping.dmp
-
memory/4704-135-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/4704-137-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB