Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 13:25
Behavioral task
behavioral1
Sample
5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe
Resource
win7-20220812-en
General
-
Target
5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe
-
Size
29KB
-
MD5
6ef684fd2a576eaba8de0aaf4b077da0
-
SHA1
cd45eef4c6bbd4eab721757f70f4887a87fbe6ea
-
SHA256
5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2
-
SHA512
a67a810afd4baee141d4b973fabcf2e53e0c0043b599e488e52c8885a8677ab0e788ae4b0c2e6faefc162b80339ff4f974d4d0724f3c84ae0b4a7c687938c93a
-
SSDEEP
384:lUHEBl7p3hUw2s7bD55gEKemqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZzuZU:Z7bUw2C3kEcqNreHBKh0p29SgRIU
Malware Config
Extracted
njrat
0.6.4
HacKed
197.0.252.102:90
c136ca163c41529ca91ad6b874a035d7
-
reg_key
c136ca163c41529ca91ad6b874a035d7
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
scvhot.exepid process 2008 scvhot.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exepid process 1708 5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scvhot.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\c136ca163c41529ca91ad6b874a035d7 = "\"C:\\Users\\Admin\\scvhot.exe\" .." scvhot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c136ca163c41529ca91ad6b874a035d7 = "\"C:\\Users\\Admin\\scvhot.exe\" .." scvhot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
scvhot.exepid process 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe 2008 scvhot.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
scvhot.exedescription pid process Token: SeDebugPrivilege 2008 scvhot.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exescvhot.exedescription pid process target process PID 1708 wrote to memory of 2008 1708 5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe scvhot.exe PID 1708 wrote to memory of 2008 1708 5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe scvhot.exe PID 1708 wrote to memory of 2008 1708 5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe scvhot.exe PID 1708 wrote to memory of 2008 1708 5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe scvhot.exe PID 2008 wrote to memory of 1904 2008 scvhot.exe netsh.exe PID 2008 wrote to memory of 1904 2008 scvhot.exe netsh.exe PID 2008 wrote to memory of 1904 2008 scvhot.exe netsh.exe PID 2008 wrote to memory of 1904 2008 scvhot.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe"C:\Users\Admin\AppData\Local\Temp\5afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\scvhot.exe"C:\Users\Admin\scvhot.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\scvhot.exe" "scvhot.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\scvhot.exeFilesize
29KB
MD56ef684fd2a576eaba8de0aaf4b077da0
SHA1cd45eef4c6bbd4eab721757f70f4887a87fbe6ea
SHA2565afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2
SHA512a67a810afd4baee141d4b973fabcf2e53e0c0043b599e488e52c8885a8677ab0e788ae4b0c2e6faefc162b80339ff4f974d4d0724f3c84ae0b4a7c687938c93a
-
C:\Users\Admin\scvhot.exeFilesize
29KB
MD56ef684fd2a576eaba8de0aaf4b077da0
SHA1cd45eef4c6bbd4eab721757f70f4887a87fbe6ea
SHA2565afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2
SHA512a67a810afd4baee141d4b973fabcf2e53e0c0043b599e488e52c8885a8677ab0e788ae4b0c2e6faefc162b80339ff4f974d4d0724f3c84ae0b4a7c687938c93a
-
\Users\Admin\scvhot.exeFilesize
29KB
MD56ef684fd2a576eaba8de0aaf4b077da0
SHA1cd45eef4c6bbd4eab721757f70f4887a87fbe6ea
SHA2565afcca01b16f3242c14204f77ed180ffd8a7cf60c86bdf4099e95a37412d1fb2
SHA512a67a810afd4baee141d4b973fabcf2e53e0c0043b599e488e52c8885a8677ab0e788ae4b0c2e6faefc162b80339ff4f974d4d0724f3c84ae0b4a7c687938c93a
-
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1708-61-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1904-60-0x0000000000000000-mapping.dmp
-
memory/2008-56-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/2008-64-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB