Analysis
-
max time kernel
150s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe
Resource
win10v2004-20220812-en
General
-
Target
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe
-
Size
405KB
-
MD5
d8775c56e4abff4c1dca41368aa66ba0
-
SHA1
477211afcb62dc2626046e49aed123d6a23021bb
-
SHA256
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb
-
SHA512
826057d35ed4979f7bfb607cb5da47e901c4da8162c28974fc09a9774918c68821a4f487d2869e280327c78f6584e3b121c1191dd0117d86249cd7af1e766fe0
-
SSDEEP
6144:xuFQFkp4C0AYXXuyhC0DPMH951CpSoIIZHm8odsjpwlqS+QUqYA0lxoir:xuFB4z+yhCGyr1CpBIIZHscxo
Malware Config
Extracted
njrat
0.6.4
SaIFELLous
saiflivy.no-ip.biz:1177
ba4c12bee3027d94da5c81db2d196bfd
-
reg_key
ba4c12bee3027d94da5c81db2d196bfd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2040 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
svchost.exepid process 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe 2040 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2040 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exesvchost.exedescription pid process target process PID 1884 wrote to memory of 2040 1884 de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe svchost.exe PID 1884 wrote to memory of 2040 1884 de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe svchost.exe PID 1884 wrote to memory of 2040 1884 de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe svchost.exe PID 2040 wrote to memory of 912 2040 svchost.exe netsh.exe PID 2040 wrote to memory of 912 2040 svchost.exe netsh.exe PID 2040 wrote to memory of 912 2040 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe"C:\Users\Admin\AppData\Local\Temp\de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
405KB
MD5d8775c56e4abff4c1dca41368aa66ba0
SHA1477211afcb62dc2626046e49aed123d6a23021bb
SHA256de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb
SHA512826057d35ed4979f7bfb607cb5da47e901c4da8162c28974fc09a9774918c68821a4f487d2869e280327c78f6584e3b121c1191dd0117d86249cd7af1e766fe0
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
405KB
MD5d8775c56e4abff4c1dca41368aa66ba0
SHA1477211afcb62dc2626046e49aed123d6a23021bb
SHA256de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb
SHA512826057d35ed4979f7bfb607cb5da47e901c4da8162c28974fc09a9774918c68821a4f487d2869e280327c78f6584e3b121c1191dd0117d86249cd7af1e766fe0
-
memory/912-68-0x0000000000000000-mapping.dmp
-
memory/1884-58-0x0000000000420000-0x000000000042A000-memory.dmpFilesize
40KB
-
memory/1884-55-0x0000000000240000-0x0000000000254000-memory.dmpFilesize
80KB
-
memory/1884-59-0x0000000000430000-0x000000000043A000-memory.dmpFilesize
40KB
-
memory/1884-60-0x00000000004C0000-0x00000000004CA000-memory.dmpFilesize
40KB
-
memory/1884-61-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/1884-62-0x00000000004F0000-0x00000000004FE000-memory.dmpFilesize
56KB
-
memory/1884-63-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB
-
memory/1884-54-0x0000000000A50000-0x0000000000ABC000-memory.dmpFilesize
432KB
-
memory/1884-57-0x0000000000290000-0x000000000029A000-memory.dmpFilesize
40KB
-
memory/1884-56-0x0000000000250000-0x0000000000276000-memory.dmpFilesize
152KB
-
memory/2040-64-0x0000000000000000-mapping.dmp
-
memory/2040-67-0x0000000000BE0000-0x0000000000C4C000-memory.dmpFilesize
432KB
-
memory/2040-70-0x000000001A8C6000-0x000000001A8E5000-memory.dmpFilesize
124KB
-
memory/2040-71-0x000000001A8C6000-0x000000001A8E5000-memory.dmpFilesize
124KB