Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 16:26
Behavioral task
behavioral1
Sample
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe
Resource
win7-20240221-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe
-
Size
37KB
-
MD5
b7dd9dd7470af783d5d955b455d58cac
-
SHA1
bbd0c1d74c948e95f5f007102fbabcf3867a2625
-
SHA256
8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f
-
SHA512
af2cec43ea98a7e2c139c1433c4dbcf35ddebc3f70aa8520f64c7096a6f6844f8021cbd22fa4bf46ae4961be1972ca45407b15c1596770fad5cb41c5860fb512
-
SSDEEP
384:zLe2KMizd9jnBhFbJ8ycPVnvvnwaUBTrAF+rMRTyN/0L+EcoinblneHQM3epzXQD:W2g9lLJfcPVn3VU9rM+rMRa8Nu2Bt
Score
10/10
Malware Config
Extracted
Family
njrat
Version
im523
Botnet
HacKed
C2
2.tcp.eu.ngrok.io:19483
Mutex
68d7771434a71722449c404baa3e5b31
Attributes
-
reg_key
68d7771434a71722449c404baa3e5b31
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2508 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe Svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe Svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2520 Svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2328 8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\68d7771434a71722449c404baa3e5b31 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Svchost.exe\" .." Svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\68d7771434a71722449c404baa3e5b31 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Svchost.exe\" .." Svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 2.tcp.eu.ngrok.io 19 2.tcp.eu.ngrok.io 35 2.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe 2520 Svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 Svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe Token: 33 2520 Svchost.exe Token: SeIncBasePriorityPrivilege 2520 Svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2520 2328 8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe 28 PID 2328 wrote to memory of 2520 2328 8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe 28 PID 2328 wrote to memory of 2520 2328 8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe 28 PID 2328 wrote to memory of 2520 2328 8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe 28 PID 2520 wrote to memory of 2508 2520 Svchost.exe 29 PID 2520 wrote to memory of 2508 2520 Svchost.exe 29 PID 2520 wrote to memory of 2508 2520 Svchost.exe 29 PID 2520 wrote to memory of 2508 2520 Svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe"C:\Users\Admin\AppData\Local\Temp\8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Roaming\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5b7dd9dd7470af783d5d955b455d58cac
SHA1bbd0c1d74c948e95f5f007102fbabcf3867a2625
SHA2568d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f
SHA512af2cec43ea98a7e2c139c1433c4dbcf35ddebc3f70aa8520f64c7096a6f6844f8021cbd22fa4bf46ae4961be1972ca45407b15c1596770fad5cb41c5860fb512