Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:16
Behavioral task
behavioral1
Sample
ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe
Resource
win7-20220812-en
General
-
Target
ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe
-
Size
29KB
-
MD5
7cab16d955fe0d5953ba1545d72acece
-
SHA1
398677faed43ad650b5f13586dd444edb273273d
-
SHA256
ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466
-
SHA512
cb5dada4fa0e57a2efaea077f230e2a6b34a44b9db2fda4379c9f96904fa7f20d52f5109577729efd8baf769bc79ca6324cfd763adb9f873b4c5827d4bc37bae
-
SSDEEP
384:7hkrLGN8fNl7L5H4yAyr9N95jv8Cum3DM1TeHdGBsbh0w4wlAokw9OhgOL1vYRGy:67R4yAyrR8M3YTeEBKh0p29SgRTr
Malware Config
Extracted
njrat
0.6.4
HacKed
dz403.no-ip.biz:1177
23556fb1360f366337f97c924e76ead3
-
reg_key
23556fb1360f366337f97c924e76ead3
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1748 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\23556fb1360f366337f97c924e76ead3.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\23556fb1360f366337f97c924e76ead3.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exepid process 856 ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23556fb1360f366337f97c924e76ead3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\23556fb1360f366337f97c924e76ead3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
svchost.exepid process 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe 1748 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1748 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exesvchost.exedescription pid process target process PID 856 wrote to memory of 1748 856 ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe svchost.exe PID 856 wrote to memory of 1748 856 ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe svchost.exe PID 856 wrote to memory of 1748 856 ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe svchost.exe PID 856 wrote to memory of 1748 856 ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe svchost.exe PID 1748 wrote to memory of 1060 1748 svchost.exe netsh.exe PID 1748 wrote to memory of 1060 1748 svchost.exe netsh.exe PID 1748 wrote to memory of 1060 1748 svchost.exe netsh.exe PID 1748 wrote to memory of 1060 1748 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe"C:\Users\Admin\AppData\Local\Temp\ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
29KB
MD57cab16d955fe0d5953ba1545d72acece
SHA1398677faed43ad650b5f13586dd444edb273273d
SHA256ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466
SHA512cb5dada4fa0e57a2efaea077f230e2a6b34a44b9db2fda4379c9f96904fa7f20d52f5109577729efd8baf769bc79ca6324cfd763adb9f873b4c5827d4bc37bae
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
29KB
MD57cab16d955fe0d5953ba1545d72acece
SHA1398677faed43ad650b5f13586dd444edb273273d
SHA256ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466
SHA512cb5dada4fa0e57a2efaea077f230e2a6b34a44b9db2fda4379c9f96904fa7f20d52f5109577729efd8baf769bc79ca6324cfd763adb9f873b4c5827d4bc37bae
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
29KB
MD57cab16d955fe0d5953ba1545d72acece
SHA1398677faed43ad650b5f13586dd444edb273273d
SHA256ca46396a37997ecd10ea75cb00b59bda7de335d2245ee1bf16018aeb81a63466
SHA512cb5dada4fa0e57a2efaea077f230e2a6b34a44b9db2fda4379c9f96904fa7f20d52f5109577729efd8baf769bc79ca6324cfd763adb9f873b4c5827d4bc37bae
-
memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/856-55-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/856-61-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/1060-62-0x0000000000000000-mapping.dmp
-
memory/1748-57-0x0000000000000000-mapping.dmp
-
memory/1748-63-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/1748-64-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB