Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 19:56
Behavioral task
behavioral1
Sample
083efc45518c7f1fc2251b832a2eb9dc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
083efc45518c7f1fc2251b832a2eb9dc.exe
Resource
win10v2004-20220812-en
General
-
Target
083efc45518c7f1fc2251b832a2eb9dc.exe
-
Size
37KB
-
MD5
083efc45518c7f1fc2251b832a2eb9dc
-
SHA1
b62c3b893b0c8fef176f417b7ed3acdc699af263
-
SHA256
5696e83acfa1b5ee20d0f656e8b9a9941971e7c84f376b970d0d87b98f11c0c6
-
SHA512
90f74079073a682d4f8e74114a6a2d772e325fce88d47790e2623847d75f35331932485daa51bce8be6989a473c012a5e08d695267a8bbff5671c1afc283179e
-
SSDEEP
384:geELEUiFsbK7FmpE8QyEfQEP/gfPMIArAF+rMRTyN/0L+EcoinblneHQM3epzXZd:9EH2n8LEfQEg3MZrM+rMRa8NuTXt
Malware Config
Extracted
njrat
im523
HacKed
2.tcp.ngrok.io:16976
ab95c48a378548825737fb3b7d22691c
-
reg_key
ab95c48a378548825737fb3b7d22691c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3424 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
083efc45518c7f1fc2251b832a2eb9dc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 083efc45518c7f1fc2251b832a2eb9dc.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ab95c48a378548825737fb3b7d22691c.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ab95c48a378548825737fb3b7d22691c.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab95c48a378548825737fb3b7d22691c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ab95c48a378548825737fb3b7d22691c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe 3424 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 3424 svchost.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe Token: 33 3424 svchost.exe Token: SeIncBasePriorityPrivilege 3424 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
083efc45518c7f1fc2251b832a2eb9dc.exesvchost.exedescription pid process target process PID 4972 wrote to memory of 3424 4972 083efc45518c7f1fc2251b832a2eb9dc.exe svchost.exe PID 4972 wrote to memory of 3424 4972 083efc45518c7f1fc2251b832a2eb9dc.exe svchost.exe PID 4972 wrote to memory of 3424 4972 083efc45518c7f1fc2251b832a2eb9dc.exe svchost.exe PID 3424 wrote to memory of 4712 3424 svchost.exe netsh.exe PID 3424 wrote to memory of 4712 3424 svchost.exe netsh.exe PID 3424 wrote to memory of 4712 3424 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\083efc45518c7f1fc2251b832a2eb9dc.exe"C:\Users\Admin\AppData\Local\Temp\083efc45518c7f1fc2251b832a2eb9dc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD5083efc45518c7f1fc2251b832a2eb9dc
SHA1b62c3b893b0c8fef176f417b7ed3acdc699af263
SHA2565696e83acfa1b5ee20d0f656e8b9a9941971e7c84f376b970d0d87b98f11c0c6
SHA51290f74079073a682d4f8e74114a6a2d772e325fce88d47790e2623847d75f35331932485daa51bce8be6989a473c012a5e08d695267a8bbff5671c1afc283179e
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD5083efc45518c7f1fc2251b832a2eb9dc
SHA1b62c3b893b0c8fef176f417b7ed3acdc699af263
SHA2565696e83acfa1b5ee20d0f656e8b9a9941971e7c84f376b970d0d87b98f11c0c6
SHA51290f74079073a682d4f8e74114a6a2d772e325fce88d47790e2623847d75f35331932485daa51bce8be6989a473c012a5e08d695267a8bbff5671c1afc283179e
-
memory/3424-134-0x0000000000000000-mapping.dmp
-
memory/3424-138-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/3424-140-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4712-139-0x0000000000000000-mapping.dmp
-
memory/4972-132-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4972-133-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4972-137-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB