Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
2fe56b2f6d9a5c054b76747dd267b97d.exe
Resource
win7-20220901-en
General
-
Target
2fe56b2f6d9a5c054b76747dd267b97d.exe
-
Size
333KB
-
MD5
2fe56b2f6d9a5c054b76747dd267b97d
-
SHA1
3737c981dab10ca7b676a3456315f7d59ac3f967
-
SHA256
060032a96340a43e32383dbc1f8723eda945a7d1c3d2f7201b36efd3b98d858e
-
SHA512
6cf11227817dae593c4e82465dc7080eca4a3767716daf47e53b55938f095349279079a0c7b7e70ed04567896517a2c06d44f540e605e5ec89f51283e6024d85
-
SSDEEP
6144:H8JsLcpjzTDDmHayakLkrb4NSarQWtT+tG1Xt5ub:8zxzTDWikLSb4NS7ET+tG1XtQb
Malware Config
Extracted
njrat
im523
HacKed
0.tcp.eu.ngrok.io:11177
c6e1be96541084b1f53de49f469e8523
-
reg_key
c6e1be96541084b1f53de49f469e8523
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 896 svchost.exe 788 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 4 IoCs
Processes:
2fe56b2f6d9a5c054b76747dd267b97d.exesvchost.exepid process 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe 896 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 788 svchost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe Token: 33 788 svchost.exe Token: SeIncBasePriorityPrivilege 788 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1284 DllHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2fe56b2f6d9a5c054b76747dd267b97d.exesvchost.exesvchost.exedescription pid process target process PID 1604 wrote to memory of 896 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe svchost.exe PID 1604 wrote to memory of 896 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe svchost.exe PID 1604 wrote to memory of 896 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe svchost.exe PID 1604 wrote to memory of 896 1604 2fe56b2f6d9a5c054b76747dd267b97d.exe svchost.exe PID 896 wrote to memory of 788 896 svchost.exe svchost.exe PID 896 wrote to memory of 788 896 svchost.exe svchost.exe PID 896 wrote to memory of 788 896 svchost.exe svchost.exe PID 896 wrote to memory of 788 896 svchost.exe svchost.exe PID 788 wrote to memory of 1760 788 svchost.exe netsh.exe PID 788 wrote to memory of 1760 788 svchost.exe netsh.exe PID 788 wrote to memory of 1760 788 svchost.exe netsh.exe PID 788 wrote to memory of 1760 788 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fe56b2f6d9a5c054b76747dd267b97d.exe"C:\Users\Admin\AppData\Local\Temp\2fe56b2f6d9a5c054b76747dd267b97d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
C:\Users\Admin\AppData\Local\Temp\хуйня.pngFilesize
7KB
MD50c3dfadc5c71f2d82c8965465665d48c
SHA1bbd957499d80fcf556b1f9a8a42686861f34082f
SHA256c17a05e1f2d2efdd53178f0fb0f9287b16843a2d2fc402273c43018b994c76bf
SHA5128cda0f1a5c7bab0c5620a278af0e05b748980a484850634071c30a0d75ff8de189ceaa1d7ffbd93d7fc3cee3caa124c201d6b60fdea7bf0889c361ea10b6405d
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
memory/788-66-0x0000000000000000-mapping.dmp
-
memory/788-71-0x0000000073310000-0x00000000738BB000-memory.dmpFilesize
5.7MB
-
memory/788-74-0x0000000073310000-0x00000000738BB000-memory.dmpFilesize
5.7MB
-
memory/896-58-0x0000000000000000-mapping.dmp
-
memory/896-63-0x0000000073310000-0x00000000738BB000-memory.dmpFilesize
5.7MB
-
memory/896-70-0x0000000073310000-0x00000000738BB000-memory.dmpFilesize
5.7MB
-
memory/1604-54-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/1760-72-0x0000000000000000-mapping.dmp