Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 17:39
Behavioral task
behavioral1
Sample
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
Resource
win7-20240221-en
General
-
Target
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
-
Size
37KB
-
MD5
a78337c1b891d73341d4012dc77fbea1
-
SHA1
e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
-
SHA256
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
-
SHA512
7c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
-
SSDEEP
384:q2aIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXKL:TFmV10b3+LCtCViVrM+rMRa8NuzWt
Malware Config
Extracted
njrat
im523
MAX
0.tcp.eu.ngrok.io:13241
0557bafb14c73fcc927e4c1c97522cd6
-
reg_key
0557bafb14c73fcc927e4c1c97522cd6
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2564 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2392 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exepid process 2864 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe Token: 33 2392 svhost.exe Token: SeIncBasePriorityPrivilege 2392 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exesvhost.exedescription pid process target process PID 2864 wrote to memory of 2392 2864 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 2864 wrote to memory of 2392 2864 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 2864 wrote to memory of 2392 2864 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 2864 wrote to memory of 2392 2864 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 2392 wrote to memory of 2564 2392 svhost.exe netsh.exe PID 2392 wrote to memory of 2564 2392 svhost.exe netsh.exe PID 2392 wrote to memory of 2564 2392 svhost.exe netsh.exe PID 2392 wrote to memory of 2564 2392 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5a78337c1b891d73341d4012dc77fbea1
SHA1e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
SHA2566339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
SHA5127c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
-
memory/2392-12-0x00000000005F0000-0x0000000000630000-memory.dmpFilesize
256KB
-
memory/2392-10-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2392-13-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2392-14-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2864-0-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2864-1-0x0000000001FB0000-0x0000000001FF0000-memory.dmpFilesize
256KB
-
memory/2864-2-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB
-
memory/2864-11-0x0000000074B60000-0x000000007510B000-memory.dmpFilesize
5.7MB