Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2023, 00:14
Behavioral task
behavioral1
Sample
0x000900000001414e-64.exe
Resource
win7-20230703-en
windows7-x64
Behavioral task
behavioral2
Sample
0x000900000001414e-64.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
0x000900000001414e-64.exe
-
Size
37KB
-
MD5
ab01301daa4c65810ffd2eb23b51c74c
-
SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6
-
SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
-
SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b
-
SSDEEP
384:PrvsiDXT95hL5YyUvlPPnOU4CUBJJrAF+rMRTyN/0L+EcoinblneHQM3epzXzNrj:Tbv5zUvlPzVU7JrM+rMRa8NuNbt
Malware Config
Extracted
njrat
im523
lox
structure-tour.at.ply.gg:27475
90e01f40b77fe25a11d52d46dae82c17
-
reg_key
90e01f40b77fe25a11d52d46dae82c17
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1212 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation 0x000900000001414e-64.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe svh0stt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe svh0stt.exe -
Executes dropped EXE 1 IoCs
pid Process 4824 svh0stt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90e01f40b77fe25a11d52d46dae82c17 = "\"C:\\Windows\\svh0stt.exe\" .." svh0stt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\90e01f40b77fe25a11d52d46dae82c17 = "\"C:\\Windows\\svh0stt.exe\" .." svh0stt.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf svh0stt.exe File opened for modification C:\autorun.inf svh0stt.exe File created D:\autorun.inf svh0stt.exe File created F:\autorun.inf svh0stt.exe File opened for modification F:\autorun.inf svh0stt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\svh0stt.exe 0x000900000001414e-64.exe File opened for modification C:\Windows\svh0stt.exe 0x000900000001414e-64.exe File opened for modification C:\Windows\svh0stt.exe svh0stt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe 4824 svh0stt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4824 svh0stt.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe Token: 33 4824 svh0stt.exe Token: SeIncBasePriorityPrivilege 4824 svh0stt.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1228 wrote to memory of 4824 1228 0x000900000001414e-64.exe 83 PID 1228 wrote to memory of 4824 1228 0x000900000001414e-64.exe 83 PID 1228 wrote to memory of 4824 1228 0x000900000001414e-64.exe 83 PID 4824 wrote to memory of 1212 4824 svh0stt.exe 84 PID 4824 wrote to memory of 1212 4824 svh0stt.exe 84 PID 4824 wrote to memory of 1212 4824 svh0stt.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000900000001414e-64.exe"C:\Users\Admin\AppData\Local\Temp\0x000900000001414e-64.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\svh0stt.exe"C:\Windows\svh0stt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svh0stt.exe" "svh0stt.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1212
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5ab01301daa4c65810ffd2eb23b51c74c
SHA1556963ab12f90cdc52f7654e00ef2b331ac418c6
SHA25659b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
SHA512fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b
-
Filesize
37KB
MD5ab01301daa4c65810ffd2eb23b51c74c
SHA1556963ab12f90cdc52f7654e00ef2b331ac418c6
SHA25659b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
SHA512fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b
-
Filesize
37KB
MD5ab01301daa4c65810ffd2eb23b51c74c
SHA1556963ab12f90cdc52f7654e00ef2b331ac418c6
SHA25659b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c
SHA512fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b