Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 07:26
Behavioral task
behavioral1
Sample
0x000600000000b2d2-55.exe
Resource
win7-20220812-en
General
-
Target
0x000600000000b2d2-55.exe
-
Size
37KB
-
MD5
26519b81ab0c5400711598dab3492da4
-
SHA1
b28cd0ed6a3af783bddb83c2f2444902335c13a9
-
SHA256
553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
-
SHA512
677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
SSDEEP
384:K0Lj99kitkZf5W9cTYXyc/jZMM6zffknvUBvrAF+rMRTyN/0L+EcoinblneHQM3a:V9qjjTYic/jW0vUxrM+rMRa8NuNxt
Malware Config
Extracted
njrat
im523
HacKed
0.tcp.eu.ngrok.io:11177
c6e1be96541084b1f53de49f469e8523
-
reg_key
c6e1be96541084b1f53de49f469e8523
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3060 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x000600000000b2d2-55.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0x000600000000b2d2-55.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 3060 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe Token: 33 3060 svchost.exe Token: SeIncBasePriorityPrivilege 3060 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x000600000000b2d2-55.exesvchost.exedescription pid process target process PID 2300 wrote to memory of 3060 2300 0x000600000000b2d2-55.exe svchost.exe PID 2300 wrote to memory of 3060 2300 0x000600000000b2d2-55.exe svchost.exe PID 2300 wrote to memory of 3060 2300 0x000600000000b2d2-55.exe svchost.exe PID 3060 wrote to memory of 2028 3060 svchost.exe netsh.exe PID 3060 wrote to memory of 2028 3060 svchost.exe netsh.exe PID 3060 wrote to memory of 2028 3060 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000600000000b2d2-55.exe"C:\Users\Admin\AppData\Local\Temp\0x000600000000b2d2-55.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD526519b81ab0c5400711598dab3492da4
SHA1b28cd0ed6a3af783bddb83c2f2444902335c13a9
SHA256553765cd10aca67763bfc1c158b143c34769fad1c0e826df511024ea6dce1409
SHA512677fc384a8b03142fd3f9d4577b34b97b30ad430d96768c6e9d18ac9df8d3e859b77cc38e85d78e1288caa7c34fc7415e0895f8aaeeb6214527497b11e5b8e2c
-
memory/2028-138-0x0000000000000000-mapping.dmp
-
memory/2300-132-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/2300-136-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/3060-133-0x0000000000000000-mapping.dmp
-
memory/3060-137-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/3060-139-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB