Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 23:17
Behavioral task
behavioral1
Sample
svchost (2).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
svchost (2).exe
Resource
win10v2004-20240412-en
General
-
Target
svchost (2).exe
-
Size
37KB
-
MD5
4b35f87adde9db4df4775e739743c59c
-
SHA1
fee7574a5f039051dcb2d63fa8cdf94e61558b35
-
SHA256
7395078c587f6da109eaead4135c47967babf6ffb93509f0a15e60eedbc7f8f2
-
SHA512
e144ffd9ffe089712465f1b89178e6804d4b3b8aec04e8b0b30d231797aef9d4c735acc8aab0c622e6873ef07095b259ef87fc70a4174dd07d578ed668a6260e
-
SSDEEP
384:Ad8TgiG1CnZfursvO6ysz6jIvxATH2DirAF+rMRTyN/0L+EcoinblneHQM3epzXW:W8H5Wpsz6jIWD2GrM+rMRa8Nubl2t
Malware Config
Extracted
njrat
im523
HacKed
tue-jake.gl.at.ply.gg:29058
f6f9a84d017975575db803dfc5b5c146
-
reg_key
f6f9a84d017975575db803dfc5b5c146
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2696 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2292 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost (2).exepid process 2004 svchost (2).exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\f6f9a84d017975575db803dfc5b5c146 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f6f9a84d017975575db803dfc5b5c146 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe 2292 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2292 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe Token: 33 2292 svchost.exe Token: SeIncBasePriorityPrivilege 2292 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
svchost (2).exesvchost.exedescription pid process target process PID 2004 wrote to memory of 2292 2004 svchost (2).exe svchost.exe PID 2004 wrote to memory of 2292 2004 svchost (2).exe svchost.exe PID 2004 wrote to memory of 2292 2004 svchost (2).exe svchost.exe PID 2004 wrote to memory of 2292 2004 svchost (2).exe svchost.exe PID 2292 wrote to memory of 2696 2292 svchost.exe netsh.exe PID 2292 wrote to memory of 2696 2292 svchost.exe netsh.exe PID 2292 wrote to memory of 2696 2292 svchost.exe netsh.exe PID 2292 wrote to memory of 2696 2292 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost (2).exe"C:\Users\Admin\AppData\Local\Temp\svchost (2).exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD54b35f87adde9db4df4775e739743c59c
SHA1fee7574a5f039051dcb2d63fa8cdf94e61558b35
SHA2567395078c587f6da109eaead4135c47967babf6ffb93509f0a15e60eedbc7f8f2
SHA512e144ffd9ffe089712465f1b89178e6804d4b3b8aec04e8b0b30d231797aef9d4c735acc8aab0c622e6873ef07095b259ef87fc70a4174dd07d578ed668a6260e
-
memory/2004-0-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB
-
memory/2004-1-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB
-
memory/2004-2-0x0000000000430000-0x0000000000470000-memory.dmpFilesize
256KB
-
memory/2004-10-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB
-
memory/2292-12-0x00000000004F0000-0x0000000000530000-memory.dmpFilesize
256KB
-
memory/2292-11-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB
-
memory/2292-13-0x00000000004F0000-0x0000000000530000-memory.dmpFilesize
256KB
-
memory/2292-14-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB
-
memory/2292-15-0x00000000004F0000-0x0000000000530000-memory.dmpFilesize
256KB