Analysis
-
max time kernel
182s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe
Resource
win10v2004-20221111-en
General
-
Target
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe
-
Size
786KB
-
MD5
b3add9a1e502c753d95a2e9f48673395
-
SHA1
5fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
-
SHA256
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
-
SHA512
c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
SSDEEP
24576:gsTrikod71pwGuB7DNnui1jbx051ebqo/rZo4AxwYx:gsTrikod71pwGuB7DNnuYBC0bqo/NoJT
Malware Config
Extracted
njrat
0.7d
HacKed
mehdimoro.ddns.net:5555
4aeed655f342a0295abb3112731f878a
-
reg_key
4aeed655f342a0295abb3112731f878a
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 688 svchost.exe 304 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aeed655f342a0295abb3112731f878a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aeed655f342a0295abb3112731f878a.exe svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aYQwA0zYJ87p8B = "C:\\Windows\\system32\\Server.exe" 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aYQwA0zYJ87p8B = "C:\\Windows\\system32\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\4aeed655f342a0295abb3112731f878a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4aeed655f342a0295abb3112731f878a = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exedescription ioc process File created C:\Windows\SysWOW64\Server.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe File opened for modification C:\Windows\SysWOW64\Server.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exedescription pid process target process PID 1256 set thread context of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 688 set thread context of 304 688 svchost.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exedescription ioc process File created C:\Windows\svchost.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe Token: SeDebugPrivilege 688 svchost.exe Token: SeDebugPrivilege 304 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exesvchost.exesvchost.exedescription pid process target process PID 1256 wrote to memory of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1256 wrote to memory of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1256 wrote to memory of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1256 wrote to memory of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1256 wrote to memory of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1256 wrote to memory of 1252 1256 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe PID 1252 wrote to memory of 688 1252 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 1252 wrote to memory of 688 1252 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 1252 wrote to memory of 688 1252 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 1252 wrote to memory of 688 1252 34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe svchost.exe PID 688 wrote to memory of 304 688 svchost.exe svchost.exe PID 688 wrote to memory of 304 688 svchost.exe svchost.exe PID 688 wrote to memory of 304 688 svchost.exe svchost.exe PID 688 wrote to memory of 304 688 svchost.exe svchost.exe PID 688 wrote to memory of 304 688 svchost.exe svchost.exe PID 688 wrote to memory of 304 688 svchost.exe svchost.exe PID 304 wrote to memory of 980 304 svchost.exe netsh.exe PID 304 wrote to memory of 980 304 svchost.exe netsh.exe PID 304 wrote to memory of 980 304 svchost.exe netsh.exe PID 304 wrote to memory of 980 304 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe"C:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exeC:\Users\Admin\AppData\Local\Temp\34ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e.exe2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exeC:\Windows\svchost.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeFilesize
786KB
MD5b3add9a1e502c753d95a2e9f48673395
SHA15fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
SHA25634ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
SHA512c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
C:\Windows\svchost.exeFilesize
786KB
MD5b3add9a1e502c753d95a2e9f48673395
SHA15fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
SHA25634ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
SHA512c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
C:\Windows\svchost.exeFilesize
786KB
MD5b3add9a1e502c753d95a2e9f48673395
SHA15fe5aa9cb6a39d03d2fe7fed545fd5905aca3037
SHA25634ea5f27c0d05baccc33fd1bb2b8beed511b3ebfe9e73894ae546eb72f17447e
SHA512c32518f3ebe3b1c9838f6c0011713a314e45f3b78bbf0c0244d4d157820db2c6fe66ba1b8951e89eae3d4f9bd5410c27734e3af0a001a293f7dd02514d09a685
-
memory/304-73-0x000000000040747E-mapping.dmp
-
memory/688-67-0x0000000000000000-mapping.dmp
-
memory/688-79-0x00000000048F5000-0x0000000004906000-memory.dmpFilesize
68KB
-
memory/688-70-0x0000000000B90000-0x0000000000C5A000-memory.dmpFilesize
808KB
-
memory/980-80-0x0000000000000000-mapping.dmp
-
memory/1252-64-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1252-62-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1252-59-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1252-60-0x000000000040747E-mapping.dmp
-
memory/1256-65-0x00000000004A0000-0x00000000004E0000-memory.dmpFilesize
256KB
-
memory/1256-54-0x00000000009F0000-0x0000000000ABA000-memory.dmpFilesize
808KB
-
memory/1256-58-0x0000000000360000-0x000000000036A000-memory.dmpFilesize
40KB
-
memory/1256-57-0x0000000002050000-0x0000000002094000-memory.dmpFilesize
272KB
-
memory/1256-56-0x0000000004270000-0x00000000042E2000-memory.dmpFilesize
456KB
-
memory/1256-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB