Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 12:26
Behavioral task
behavioral1
Sample
35329cdc7dc585785684a6ceb65278b1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
35329cdc7dc585785684a6ceb65278b1.exe
Resource
win10v2004-20220812-en
General
-
Target
35329cdc7dc585785684a6ceb65278b1.exe
-
Size
37KB
-
MD5
35329cdc7dc585785684a6ceb65278b1
-
SHA1
f154f7b937ed9b4f6738703f3a3e9ea0350fb806
-
SHA256
571b1ab166e73a7e33e5cf8b9f9c9e3a055b11205394a7395b7775f49dd76d66
-
SHA512
3c278efd08276780388893b9d823841531ff136ce21e6e9fad2c229f14d6af92c5007113ae4ebdbfa32fb567df059816b6c84420fa19d9309bc3373e9b16db33
-
SSDEEP
384:unu1HCiMT3jBVbJsy8PVAbAoJvzv7QyYdSrAF+rMRTyN/0L+EcoinblneHQM3epz:uhbJP8PVsAafVY0rM+rMRa8NuICt
Malware Config
Extracted
njrat
im523
HACK
journal-serial.at.playit.gg:59826
6b15523b39e3dae4db6cae2a109d2d5f
-
reg_key
6b15523b39e3dae4db6cae2a109d2d5f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 624 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b15523b39e3dae4db6cae2a109d2d5f.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b15523b39e3dae4db6cae2a109d2d5f.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b15523b39e3dae4db6cae2a109d2d5f = "\"C:\\Windows\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6b15523b39e3dae4db6cae2a109d2d5f = "\"C:\\Windows\\svhost.exe\" .." svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
35329cdc7dc585785684a6ceb65278b1.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 35329cdc7dc585785684a6ceb65278b1.exe File opened for modification C:\Windows\svhost.exe 35329cdc7dc585785684a6ceb65278b1.exe File opened for modification C:\Windows\svhost.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1548 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svhost.exepid process 624 svhost.exe 624 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 624 svhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 624 svhost.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe Token: 33 624 svhost.exe Token: SeIncBasePriorityPrivilege 624 svhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
35329cdc7dc585785684a6ceb65278b1.exesvhost.exedescription pid process target process PID 1516 wrote to memory of 624 1516 35329cdc7dc585785684a6ceb65278b1.exe svhost.exe PID 1516 wrote to memory of 624 1516 35329cdc7dc585785684a6ceb65278b1.exe svhost.exe PID 1516 wrote to memory of 624 1516 35329cdc7dc585785684a6ceb65278b1.exe svhost.exe PID 1516 wrote to memory of 624 1516 35329cdc7dc585785684a6ceb65278b1.exe svhost.exe PID 624 wrote to memory of 1740 624 svhost.exe netsh.exe PID 624 wrote to memory of 1740 624 svhost.exe netsh.exe PID 624 wrote to memory of 1740 624 svhost.exe netsh.exe PID 624 wrote to memory of 1740 624 svhost.exe netsh.exe PID 624 wrote to memory of 1548 624 svhost.exe taskkill.exe PID 624 wrote to memory of 1548 624 svhost.exe taskkill.exe PID 624 wrote to memory of 1548 624 svhost.exe taskkill.exe PID 624 wrote to memory of 1548 624 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35329cdc7dc585785684a6ceb65278b1.exe"C:\Users\Admin\AppData\Local\Temp\35329cdc7dc585785684a6ceb65278b1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svhost.exeFilesize
37KB
MD535329cdc7dc585785684a6ceb65278b1
SHA1f154f7b937ed9b4f6738703f3a3e9ea0350fb806
SHA256571b1ab166e73a7e33e5cf8b9f9c9e3a055b11205394a7395b7775f49dd76d66
SHA5123c278efd08276780388893b9d823841531ff136ce21e6e9fad2c229f14d6af92c5007113ae4ebdbfa32fb567df059816b6c84420fa19d9309bc3373e9b16db33
-
C:\Windows\svhost.exeFilesize
37KB
MD535329cdc7dc585785684a6ceb65278b1
SHA1f154f7b937ed9b4f6738703f3a3e9ea0350fb806
SHA256571b1ab166e73a7e33e5cf8b9f9c9e3a055b11205394a7395b7775f49dd76d66
SHA5123c278efd08276780388893b9d823841531ff136ce21e6e9fad2c229f14d6af92c5007113ae4ebdbfa32fb567df059816b6c84420fa19d9309bc3373e9b16db33
-
memory/624-56-0x0000000000000000-mapping.dmp
-
memory/624-61-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/624-65-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1516-54-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1516-55-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1516-60-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1516-62-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1548-64-0x0000000000000000-mapping.dmp
-
memory/1740-63-0x0000000000000000-mapping.dmp