Analysis
-
max time kernel
156s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14-02-2024 03:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe
Resource
win7-20231215-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe
-
Size
1.1MB
-
MD5
b0e6f24c119a66f4b9ce908068d3976a
-
SHA1
d021cfc658c963bddb74668a0148cfd5655f06ad
-
SHA256
2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955
-
SHA512
d2ea0acff0cdf669d41b669fc81a5c889b0f17164d183ba32aa67ba93e95b9b90fcdad1ddd88462dbccf1cebb620f37f2c37e0f2f6615a9432dc5096772a5d37
-
SSDEEP
24576:gfOjaRF0g0tYUt6bSs/6gQynGQfuY88Rq0w:TaRj0C4gvnGQfL8Kq
Score
10/10
Malware Config
Extracted
Family
njrat
Version
im523
Botnet
MCVzlom
C2
194.38.20.230:6666
Mutex
9f35c64e8328a96f5f95063ef2b234ce
Attributes
-
reg_key
9f35c64e8328a96f5f95063ef2b234ce
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2716 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9f35c64e8328a96f5f95063ef2b234ce.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9f35c64e8328a96f5f95063ef2b234ce.exe svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2780 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\9f35c64e8328a96f5f95063ef2b234ce = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9f35c64e8328a96f5f95063ef2b234ce = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf svchost.exe File opened for modification C:\autorun.inf svchost.exe File created D:\autorun.inf svchost.exe File created F:\autorun.inf svchost.exe File opened for modification F:\autorun.inf svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 1632 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 svchost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2780 svchost.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe Token: 33 2780 svchost.exe Token: SeIncBasePriorityPrivilege 2780 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 2780 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2780 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 27 PID 2196 wrote to memory of 2780 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 27 PID 2196 wrote to memory of 2780 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 27 PID 2196 wrote to memory of 2780 2196 2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe 27 PID 2780 wrote to memory of 2716 2780 svchost.exe 28 PID 2780 wrote to memory of 2716 2780 svchost.exe 28 PID 2780 wrote to memory of 2716 2780 svchost.exe 28 PID 2780 wrote to memory of 2716 2780 svchost.exe 28 PID 2780 wrote to memory of 1632 2780 svchost.exe 30 PID 2780 wrote to memory of 1632 2780 svchost.exe 30 PID 2780 wrote to memory of 1632 2780 svchost.exe 30 PID 2780 wrote to memory of 1632 2780 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe"C:\Users\Admin\AppData\Local\Temp\2fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Avastsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b0e6f24c119a66f4b9ce908068d3976a
SHA1d021cfc658c963bddb74668a0148cfd5655f06ad
SHA2562fa422d5cd19a34ae3e8d01127e95db53e7979fe43b6f1aa12a9cf51f33eb955
SHA512d2ea0acff0cdf669d41b669fc81a5c889b0f17164d183ba32aa67ba93e95b9b90fcdad1ddd88462dbccf1cebb620f37f2c37e0f2f6615a9432dc5096772a5d37