Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 17:39
Behavioral task
behavioral1
Sample
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
Resource
win7-20240221-en
General
-
Target
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
-
Size
37KB
-
MD5
a78337c1b891d73341d4012dc77fbea1
-
SHA1
e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
-
SHA256
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
-
SHA512
7c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
-
SSDEEP
384:q2aIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXKL:TFmV10b3+LCtCViVrM+rMRa8NuzWt
Malware Config
Extracted
njrat
im523
MAX
0.tcp.eu.ngrok.io:13241
0557bafb14c73fcc927e4c1c97522cd6
-
reg_key
0557bafb14c73fcc927e4c1c97522cd6
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1600 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4624 svhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 38 0.tcp.eu.ngrok.io 88 0.tcp.eu.ngrok.io 128 0.tcp.eu.ngrok.io 133 0.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe Token: 33 4624 svhost.exe Token: SeIncBasePriorityPrivilege 4624 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exesvhost.exedescription pid process target process PID 528 wrote to memory of 4624 528 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 528 wrote to memory of 4624 528 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 528 wrote to memory of 4624 528 6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe svhost.exe PID 4624 wrote to memory of 1600 4624 svhost.exe netsh.exe PID 4624 wrote to memory of 1600 4624 svhost.exe netsh.exe PID 4624 wrote to memory of 1600 4624 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5a78337c1b891d73341d4012dc77fbea1
SHA1e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
SHA2566339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
SHA5127c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
-
memory/528-0-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/528-1-0x0000000000AB0000-0x0000000000AC0000-memory.dmpFilesize
64KB
-
memory/528-2-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/528-12-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4624-14-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB
-
memory/4624-13-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4624-15-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4624-16-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB