Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
06-07-2023 00:14
Behavioral task
behavioral1
Sample
0x000900000001414e-64.exe
Resource
win7-20230703-en
windows7-x64
Behavioral task
behavioral2
Sample
0x000900000001414e-64.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
0x000900000001414e-64.exe
-
Size
37KB
-
MD5
ab01301daa4c65810ffd2eb23b51c74c
-
SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6
-
SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
-
SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b
-
SSDEEP
384:PrvsiDXT95hL5YyUvlPPnOU4CUBJJrAF+rMRTyN/0L+EcoinblneHQM3epzXzNrj:Tbv5zUvlPzVU7JrM+rMRa8NuNbt
Malware Config
Extracted
njrat
im523
lox
structure-tour.at.ply.gg:27475
90e01f40b77fe25a11d52d46dae82c17
-
reg_key
90e01f40b77fe25a11d52d46dae82c17
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3032 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe svh0stt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe svh0stt.exe -
Executes dropped EXE 1 IoCs
pid Process 2920 svh0stt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Windows\CurrentVersion\Run\90e01f40b77fe25a11d52d46dae82c17 = "\"C:\\Windows\\svh0stt.exe\" .." svh0stt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\90e01f40b77fe25a11d52d46dae82c17 = "\"C:\\Windows\\svh0stt.exe\" .." svh0stt.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf svh0stt.exe File opened for modification C:\autorun.inf svh0stt.exe File created D:\autorun.inf svh0stt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\svh0stt.exe svh0stt.exe File created C:\Windows\svh0stt.exe 0x000900000001414e-64.exe File opened for modification C:\Windows\svh0stt.exe 0x000900000001414e-64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe 2920 svh0stt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2920 svh0stt.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe Token: 33 2920 svh0stt.exe Token: SeIncBasePriorityPrivilege 2920 svh0stt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2920 2200 0x000900000001414e-64.exe 29 PID 2200 wrote to memory of 2920 2200 0x000900000001414e-64.exe 29 PID 2200 wrote to memory of 2920 2200 0x000900000001414e-64.exe 29 PID 2200 wrote to memory of 2920 2200 0x000900000001414e-64.exe 29 PID 2920 wrote to memory of 3032 2920 svh0stt.exe 30 PID 2920 wrote to memory of 3032 2920 svh0stt.exe 30 PID 2920 wrote to memory of 3032 2920 svh0stt.exe 30 PID 2920 wrote to memory of 3032 2920 svh0stt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000900000001414e-64.exe"C:\Users\Admin\AppData\Local\Temp\0x000900000001414e-64.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\svh0stt.exe"C:\Windows\svh0stt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svh0stt.exe" "svh0stt.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3032
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe
Filesize37KB
MD5ab01301daa4c65810ffd2eb23b51c74c
SHA1556963ab12f90cdc52f7654e00ef2b331ac418c6
SHA25659b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
SHA512fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b
-
Filesize
37KB
MD5ab01301daa4c65810ffd2eb23b51c74c
SHA1556963ab12f90cdc52f7654e00ef2b331ac418c6
SHA25659b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
SHA512fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b
-
Filesize
37KB
MD5ab01301daa4c65810ffd2eb23b51c74c
SHA1556963ab12f90cdc52f7654e00ef2b331ac418c6
SHA25659b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
SHA512fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b