Analysis
-
max time kernel
258s -
max time network
332s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 20:55
Static task
static1
Behavioral task
behavioral1
Sample
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
Resource
win10v2004-20220901-en
General
-
Target
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
-
Size
863KB
-
MD5
c83a8098ded06f15dc4bdbafc09f4ecf
-
SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587
-
SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
-
SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
SSDEEP
24576:TRmJkcoQricOIQxiZY1iaEtmUJ9tiO3BXB:gJZoQrbTFZY1iayJ933lB
Malware Config
Extracted
njrat
0.7d
Bot
drazmatik56.no-ip.org:1604
5364b242e8892a314b968229a5ceac99
-
reg_key
5364b242e8892a314b968229a5ceac99
-
splitter
|'|'|
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\svchost.exe,explorer.exe" 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 856 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 4 IoCs
Processes:
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exepid process 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\svchost.exe" 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows\svchost.exe autoit_exe \Users\Admin\AppData\Roaming\Windows\svchost.exe autoit_exe \Users\Admin\AppData\Roaming\Windows\svchost.exe autoit_exe \Users\Admin\AppData\Roaming\Windows\svchost.exe autoit_exe C:\Users\Admin\AppData\Roaming\Windows\svchost.exe autoit_exe C:\Users\Admin\AppData\Roaming\Windows\svchost.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exedescription pid process target process PID 752 set thread context of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 856 set thread context of 1348 856 svchost.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exepid process 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe 856 svchost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe Token: 33 1316 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1316 RegSvcs.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exeRegSvcs.exedescription pid process target process PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 1316 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe RegSvcs.exe PID 752 wrote to memory of 856 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe svchost.exe PID 752 wrote to memory of 856 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe svchost.exe PID 752 wrote to memory of 856 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe svchost.exe PID 752 wrote to memory of 856 752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe svchost.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 856 wrote to memory of 1348 856 svchost.exe RegSvcs.exe PID 1316 wrote to memory of 760 1316 RegSvcs.exe netsh.exe PID 1316 wrote to memory of 760 1316 RegSvcs.exe netsh.exe PID 1316 wrote to memory of 760 1316 RegSvcs.exe netsh.exe PID 1316 wrote to memory of 760 1316 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe"C:\Users\Admin\AppData\Local\Temp\6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "RegSvcs.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:760 -
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:1348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\svchost.exeFilesize
863KB
MD5c83a8098ded06f15dc4bdbafc09f4ecf
SHA13c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA2566ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
C:\Users\Admin\AppData\Roaming\Windows\svchost.exeFilesize
863KB
MD5c83a8098ded06f15dc4bdbafc09f4ecf
SHA13c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA2566ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
\Users\Admin\AppData\Roaming\Windows\svchost.exeFilesize
863KB
MD5c83a8098ded06f15dc4bdbafc09f4ecf
SHA13c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA2566ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
\Users\Admin\AppData\Roaming\Windows\svchost.exeFilesize
863KB
MD5c83a8098ded06f15dc4bdbafc09f4ecf
SHA13c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA2566ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
\Users\Admin\AppData\Roaming\Windows\svchost.exeFilesize
863KB
MD5c83a8098ded06f15dc4bdbafc09f4ecf
SHA13c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA2566ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
\Users\Admin\AppData\Roaming\Windows\svchost.exeFilesize
863KB
MD5c83a8098ded06f15dc4bdbafc09f4ecf
SHA13c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA2566ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
-
memory/752-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/760-91-0x0000000000000000-mapping.dmp
-
memory/856-72-0x0000000000000000-mapping.dmp
-
memory/1316-63-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1316-67-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/1316-65-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1316-58-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1316-61-0x000000000040748E-mapping.dmp
-
memory/1316-60-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1316-56-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1316-55-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1316-89-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/1316-59-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1348-82-0x000000000040748E-mapping.dmp
-
memory/1348-88-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/1348-90-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB