Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
17-10-2023 21:41
Behavioral task
behavioral1
Sample
70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe
Resource
win10v2004-20230915-en
General
-
Target
70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe
-
Size
31KB
-
MD5
70d8a4cfe8f75bef1d5cea3ba0cca2d0
-
SHA1
636d0bb422ed168d310a31160d69aef1aec90d68
-
SHA256
6a949940330b0828af63f56d10981f8596ef1c24952b058e40af09ce6e947100
-
SHA512
31ae3fc6ff416925040d4a7aa40d46b411786c1269c6fbdb0386a05cd5211774c2c0cd13dddecbcec2e3919278cd2c659549a7d7f74355bda3f81e8b196cc561
-
SSDEEP
768:ZRZghV5VXPKzxF+dt+XKvJ+rvaPQmIDUu0tipcj:mfqciMQVkzj
Malware Config
Extracted
njrat
0.7d
MyBot
myvnc.myftp.biz:5552
4d303b772c7c7805c5e01990e7310d1a
-
reg_key
4d303b772c7c7805c5e01990e7310d1a
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4d303b772c7c7805c5e01990e7310d1a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4d303b772c7c7805c5e01990e7310d1a.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2736 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exepid process 2388 70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\4d303b772c7c7805c5e01990e7310d1a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4d303b772c7c7805c5e01990e7310d1a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe Token: 33 2736 svchost.exe Token: SeIncBasePriorityPrivilege 2736 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exesvchost.exedescription pid process target process PID 2388 wrote to memory of 2736 2388 70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe svchost.exe PID 2388 wrote to memory of 2736 2388 70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe svchost.exe PID 2388 wrote to memory of 2736 2388 70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe svchost.exe PID 2388 wrote to memory of 2736 2388 70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe svchost.exe PID 2736 wrote to memory of 2480 2736 svchost.exe netsh.exe PID 2736 wrote to memory of 2480 2736 svchost.exe netsh.exe PID 2736 wrote to memory of 2480 2736 svchost.exe netsh.exe PID 2736 wrote to memory of 2480 2736 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe"C:\Users\Admin\AppData\Local\Temp\70D8A4CFE8F75BEF1D5CEA3BA0CCA2D0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD570d8a4cfe8f75bef1d5cea3ba0cca2d0
SHA1636d0bb422ed168d310a31160d69aef1aec90d68
SHA2566a949940330b0828af63f56d10981f8596ef1c24952b058e40af09ce6e947100
SHA51231ae3fc6ff416925040d4a7aa40d46b411786c1269c6fbdb0386a05cd5211774c2c0cd13dddecbcec2e3919278cd2c659549a7d7f74355bda3f81e8b196cc561
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD570d8a4cfe8f75bef1d5cea3ba0cca2d0
SHA1636d0bb422ed168d310a31160d69aef1aec90d68
SHA2566a949940330b0828af63f56d10981f8596ef1c24952b058e40af09ce6e947100
SHA51231ae3fc6ff416925040d4a7aa40d46b411786c1269c6fbdb0386a05cd5211774c2c0cd13dddecbcec2e3919278cd2c659549a7d7f74355bda3f81e8b196cc561
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD570d8a4cfe8f75bef1d5cea3ba0cca2d0
SHA1636d0bb422ed168d310a31160d69aef1aec90d68
SHA2566a949940330b0828af63f56d10981f8596ef1c24952b058e40af09ce6e947100
SHA51231ae3fc6ff416925040d4a7aa40d46b411786c1269c6fbdb0386a05cd5211774c2c0cd13dddecbcec2e3919278cd2c659549a7d7f74355bda3f81e8b196cc561
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD570d8a4cfe8f75bef1d5cea3ba0cca2d0
SHA1636d0bb422ed168d310a31160d69aef1aec90d68
SHA2566a949940330b0828af63f56d10981f8596ef1c24952b058e40af09ce6e947100
SHA51231ae3fc6ff416925040d4a7aa40d46b411786c1269c6fbdb0386a05cd5211774c2c0cd13dddecbcec2e3919278cd2c659549a7d7f74355bda3f81e8b196cc561
-
memory/2388-3-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2388-4-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2388-0-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2388-2-0x00000000006E0000-0x0000000000720000-memory.dmpFilesize
256KB
-
memory/2388-1-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2388-17-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2736-14-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2736-15-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2736-16-0x00000000001E0000-0x0000000000220000-memory.dmpFilesize
256KB
-
memory/2736-18-0x0000000074BA0000-0x000000007514B000-memory.dmpFilesize
5.7MB
-
memory/2736-19-0x00000000001E0000-0x0000000000220000-memory.dmpFilesize
256KB