Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 17:32
Behavioral task
behavioral1
Sample
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
Resource
win7-20240221-en
General
-
Target
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
-
Size
37KB
-
MD5
a78337c1b891d73341d4012dc77fbea1
-
SHA1
e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
-
SHA256
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
-
SHA512
7c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
-
SSDEEP
384:q2aIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXKL:TFmV10b3+LCtCViVrM+rMRa8NuzWt
Malware Config
Extracted
njrat
im523
MAX
0.tcp.eu.ngrok.io:13241
0557bafb14c73fcc927e4c1c97522cd6
-
reg_key
0557bafb14c73fcc927e4c1c97522cd6
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2628 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2540 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exepid process 3008 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 2 0.tcp.eu.ngrok.io 24 0.tcp.eu.ngrok.io 30 0.tcp.eu.ngrok.io 46 0.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe Token: 33 2540 svhost.exe Token: SeIncBasePriorityPrivilege 2540 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exesvhost.exedescription pid process target process PID 3008 wrote to memory of 2540 3008 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 3008 wrote to memory of 2540 3008 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 3008 wrote to memory of 2540 3008 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 3008 wrote to memory of 2540 3008 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 2540 wrote to memory of 2628 2540 svhost.exe netsh.exe PID 2540 wrote to memory of 2628 2540 svhost.exe netsh.exe PID 2540 wrote to memory of 2628 2540 svhost.exe netsh.exe PID 2540 wrote to memory of 2628 2540 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5a78337c1b891d73341d4012dc77fbea1
SHA1e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
SHA2566339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
SHA5127c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
-
memory/2540-10-0x0000000001F20000-0x0000000001F60000-memory.dmpFilesize
256KB
-
memory/2540-12-0x0000000074790000-0x0000000074D3B000-memory.dmpFilesize
5.7MB
-
memory/2540-13-0x0000000001F20000-0x0000000001F60000-memory.dmpFilesize
256KB
-
memory/2540-14-0x0000000074790000-0x0000000074D3B000-memory.dmpFilesize
5.7MB
-
memory/3008-0-0x0000000074790000-0x0000000074D3B000-memory.dmpFilesize
5.7MB
-
memory/3008-1-0x0000000074790000-0x0000000074D3B000-memory.dmpFilesize
5.7MB
-
memory/3008-2-0x00000000020B0000-0x00000000020F0000-memory.dmpFilesize
256KB
-
memory/3008-11-0x0000000074790000-0x0000000074D3B000-memory.dmpFilesize
5.7MB