Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-09-2022 05:46
Behavioral task
behavioral1
Sample
a2b7067c9ed51dcf8eccb251da3bae89.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a2b7067c9ed51dcf8eccb251da3bae89.exe
Resource
win10v2004-20220812-en
General
-
Target
a2b7067c9ed51dcf8eccb251da3bae89.exe
-
Size
37KB
-
MD5
a2b7067c9ed51dcf8eccb251da3bae89
-
SHA1
72dded4f4c1474804ab9508176a5587d71529d4b
-
SHA256
d3895a176b088ccea8de7ff50cabe73195a0a56bf4d32482dbc47bdcef733dc2
-
SHA512
609412d6e4147bf87cc8481c7fec9b9c39c540042879cbabc916b007942df21fcc0ed05f0cefe9e01b839ee3c9279368d4de9ccb19e1a7fe37a6bc3e82395d74
-
SSDEEP
384:snu1HCiMT3jBVbJsy8PVAbAoJvzv7QyYdbrAF+rMRTyN/0L+EcoinblneHQM3epb:0hbJP8PVsAafVYJrM+rMRa8NuIGt
Malware Config
Extracted
njrat
im523
HACK
journal-serial.at.playit.gg:59826
6b15523b39e3dae4db6cae2a109d2d5f
-
reg_key
6b15523b39e3dae4db6cae2a109d2d5f
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1028 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b15523b39e3dae4db6cae2a109d2d5f.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b15523b39e3dae4db6cae2a109d2d5f.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b15523b39e3dae4db6cae2a109d2d5f = "\"C:\\Windows\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6b15523b39e3dae4db6cae2a109d2d5f = "\"C:\\Windows\\svhost.exe\" .." svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
a2b7067c9ed51dcf8eccb251da3bae89.exesvhost.exedescription ioc process File opened for modification C:\Windows\svhost.exe a2b7067c9ed51dcf8eccb251da3bae89.exe File opened for modification C:\Windows\svhost.exe svhost.exe File created C:\Windows\svhost.exe a2b7067c9ed51dcf8eccb251da3bae89.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1736 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 1028 svhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1028 svhost.exe Token: SeDebugPrivilege 1736 taskkill.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe Token: 33 1028 svhost.exe Token: SeIncBasePriorityPrivilege 1028 svhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a2b7067c9ed51dcf8eccb251da3bae89.exesvhost.exedescription pid process target process PID 1672 wrote to memory of 1028 1672 a2b7067c9ed51dcf8eccb251da3bae89.exe svhost.exe PID 1672 wrote to memory of 1028 1672 a2b7067c9ed51dcf8eccb251da3bae89.exe svhost.exe PID 1672 wrote to memory of 1028 1672 a2b7067c9ed51dcf8eccb251da3bae89.exe svhost.exe PID 1672 wrote to memory of 1028 1672 a2b7067c9ed51dcf8eccb251da3bae89.exe svhost.exe PID 1028 wrote to memory of 1500 1028 svhost.exe netsh.exe PID 1028 wrote to memory of 1500 1028 svhost.exe netsh.exe PID 1028 wrote to memory of 1500 1028 svhost.exe netsh.exe PID 1028 wrote to memory of 1500 1028 svhost.exe netsh.exe PID 1028 wrote to memory of 1736 1028 svhost.exe taskkill.exe PID 1028 wrote to memory of 1736 1028 svhost.exe taskkill.exe PID 1028 wrote to memory of 1736 1028 svhost.exe taskkill.exe PID 1028 wrote to memory of 1736 1028 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2b7067c9ed51dcf8eccb251da3bae89.exe"C:\Users\Admin\AppData\Local\Temp\a2b7067c9ed51dcf8eccb251da3bae89.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svhost.exeFilesize
37KB
MD5a2b7067c9ed51dcf8eccb251da3bae89
SHA172dded4f4c1474804ab9508176a5587d71529d4b
SHA256d3895a176b088ccea8de7ff50cabe73195a0a56bf4d32482dbc47bdcef733dc2
SHA512609412d6e4147bf87cc8481c7fec9b9c39c540042879cbabc916b007942df21fcc0ed05f0cefe9e01b839ee3c9279368d4de9ccb19e1a7fe37a6bc3e82395d74
-
C:\Windows\svhost.exeFilesize
37KB
MD5a2b7067c9ed51dcf8eccb251da3bae89
SHA172dded4f4c1474804ab9508176a5587d71529d4b
SHA256d3895a176b088ccea8de7ff50cabe73195a0a56bf4d32482dbc47bdcef733dc2
SHA512609412d6e4147bf87cc8481c7fec9b9c39c540042879cbabc916b007942df21fcc0ed05f0cefe9e01b839ee3c9279368d4de9ccb19e1a7fe37a6bc3e82395d74
-
memory/1028-56-0x0000000000000000-mapping.dmp
-
memory/1028-61-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1028-65-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1500-62-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1672-55-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1672-60-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1736-63-0x0000000000000000-mapping.dmp