Analysis
-
max time kernel
34s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2023 17:18
Behavioral task
behavioral1
Sample
OTCV4.exe
Resource
win10v2004-20230220-en
General
-
Target
OTCV4.exe
-
Size
37KB
-
MD5
7a0a0912ad87e27c72755a763ba619bc
-
SHA1
586d0e9b757935b10c599fca4da6a2d5f0b1d931
-
SHA256
8f4d3537fb26ef5dd6866f116a5790b2b86d9057a9102cbe7910f14999e0987a
-
SHA512
20c51eeb7081c7981f695a698d5cc64bc63e63b40a3f4c5e538c3f9d0c992c489cf8389c8f63107ec6c27b426ab8344022def79e3954b16c7e6b990a61b10900
-
SSDEEP
384:cNOKMizd5jnBhFbJ8ycPhzvzCwSYdOrAF+rMRTyN/0L+EcoinblneHQM3epzXKG0:KOg5lLJfcPhzWVYIrM+rMRa8NuUGJat
Malware Config
Extracted
njrat
im523
svchost
summer-semester.at.ply.gg:13213
b6942de4fd3f9edee3dcb471233c170b
-
reg_key
b6942de4fd3f9edee3dcb471233c170b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OTCV4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation OTCV4.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6942de4fd3f9edee3dcb471233c170b.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6942de4fd3f9edee3dcb471233c170b.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3832 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b6942de4fd3f9edee3dcb471233c170b = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b6942de4fd3f9edee3dcb471233c170b = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe 3832 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3832 svchost.exe Token: 33 3832 svchost.exe Token: SeIncBasePriorityPrivilege 3832 svchost.exe Token: 33 3832 svchost.exe Token: SeIncBasePriorityPrivilege 3832 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
OTCV4.exesvchost.exedescription pid process target process PID 4104 wrote to memory of 3832 4104 OTCV4.exe svchost.exe PID 4104 wrote to memory of 3832 4104 OTCV4.exe svchost.exe PID 4104 wrote to memory of 3832 4104 OTCV4.exe svchost.exe PID 3832 wrote to memory of 2660 3832 svchost.exe netsh.exe PID 3832 wrote to memory of 2660 3832 svchost.exe netsh.exe PID 3832 wrote to memory of 2660 3832 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OTCV4.exe"C:\Users\Admin\AppData\Local\Temp\OTCV4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD57a0a0912ad87e27c72755a763ba619bc
SHA1586d0e9b757935b10c599fca4da6a2d5f0b1d931
SHA2568f4d3537fb26ef5dd6866f116a5790b2b86d9057a9102cbe7910f14999e0987a
SHA51220c51eeb7081c7981f695a698d5cc64bc63e63b40a3f4c5e538c3f9d0c992c489cf8389c8f63107ec6c27b426ab8344022def79e3954b16c7e6b990a61b10900
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD57a0a0912ad87e27c72755a763ba619bc
SHA1586d0e9b757935b10c599fca4da6a2d5f0b1d931
SHA2568f4d3537fb26ef5dd6866f116a5790b2b86d9057a9102cbe7910f14999e0987a
SHA51220c51eeb7081c7981f695a698d5cc64bc63e63b40a3f4c5e538c3f9d0c992c489cf8389c8f63107ec6c27b426ab8344022def79e3954b16c7e6b990a61b10900
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
37KB
MD57a0a0912ad87e27c72755a763ba619bc
SHA1586d0e9b757935b10c599fca4da6a2d5f0b1d931
SHA2568f4d3537fb26ef5dd6866f116a5790b2b86d9057a9102cbe7910f14999e0987a
SHA51220c51eeb7081c7981f695a698d5cc64bc63e63b40a3f4c5e538c3f9d0c992c489cf8389c8f63107ec6c27b426ab8344022def79e3954b16c7e6b990a61b10900
-
memory/4104-133-0x00000000018A0000-0x00000000018B0000-memory.dmpFilesize
64KB