Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 07:26
Behavioral task
behavioral1
Sample
0x000600000000b2d2-55.exe
Resource
win7-20220812-en
General
-
Target
0x000600000000b2d2-55.exe
-
Size
37KB
-
MD5
26519b81ab0c5400711598dab3492da4
-
SHA1
b28cd0ed6a3af783bddb83c2f2444902335c13a9
-
SHA256
553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
-
SHA512
677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
SSDEEP
384:K0Lj99kitkZf5W9cTYXyc/jZMM6zffknvUBvrAF+rMRTyN/0L+EcoinblneHQM3a:V9qjjTYic/jW0vUxrM+rMRa8NuNxt
Malware Config
Extracted
njrat
im523
HacKed
0.tcp.eu.ngrok.io:11177
c6e1be96541084b1f53de49f469e8523
-
reg_key
c6e1be96541084b1f53de49f469e8523
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 956 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
0x000600000000b2d2-55.exepid process 1412 0x000600000000b2d2-55.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 956 svchost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe Token: 33 956 svchost.exe Token: SeIncBasePriorityPrivilege 956 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0x000600000000b2d2-55.exesvchost.exedescription pid process target process PID 1412 wrote to memory of 956 1412 0x000600000000b2d2-55.exe svchost.exe PID 1412 wrote to memory of 956 1412 0x000600000000b2d2-55.exe svchost.exe PID 1412 wrote to memory of 956 1412 0x000600000000b2d2-55.exe svchost.exe PID 1412 wrote to memory of 956 1412 0x000600000000b2d2-55.exe svchost.exe PID 956 wrote to memory of 2024 956 svchost.exe netsh.exe PID 956 wrote to memory of 2024 956 svchost.exe netsh.exe PID 956 wrote to memory of 2024 956 svchost.exe netsh.exe PID 956 wrote to memory of 2024 956 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000600000000b2d2-55.exe"C:\Users\Admin\AppData\Local\Temp\0x000600000000b2d2-55.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
memory/956-57-0x0000000000000000-mapping.dmp
-
memory/956-62-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/956-65-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/1412-54-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/1412-55-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/1412-61-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2024-63-0x0000000000000000-mapping.dmp