Analysis Overview
SHA256
ce78bc90ee00ff4ba34b9a98c6cc88f55d93a3ac3366bb587421f4e55f4f86ad
Threat Level: Known bad
The file svchost.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 14:24
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 14:24
Reported
2024-06-22 14:27
Platform
win10-20240404-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.url | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4240 wrote to memory of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 4240 wrote to memory of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 4240 wrote to memory of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 4240 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 4240 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 4240 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Discord.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\c8c44b310a27434084a6764e7e90a2a5.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.126.37.18:11166 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 18.37.126.3.in-addr.arpa | udp |
| DE | 3.126.37.18:11166 | 2.tcp.eu.ngrok.io | tcp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/4240-0-0x0000000073FA1000-0x0000000073FA2000-memory.dmp
memory/4240-1-0x0000000073FA0000-0x0000000074550000-memory.dmp
memory/4240-2-0x0000000073FA0000-0x0000000074550000-memory.dmp
memory/4240-6-0x0000000073FA0000-0x0000000074550000-memory.dmp
memory/4240-7-0x0000000073FA0000-0x0000000074550000-memory.dmp
memory/4240-8-0x0000000073FA0000-0x0000000074550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c8c44b310a27434084a6764e7e90a2a5.txt
| MD5 | 32b0fe8f73a05f68dc10feef1bea16d9 |
| SHA1 | 44d3ef03dfa8f1f462849c140049f98646d1beef |
| SHA256 | f4eb5dbf434a5df65d7669a42f1b9130878b224a6c20dd8fa76d814de84586a9 |
| SHA512 | c16d2417d71da0cb2685b5a4b1cf224aae155e3b135b08b56747021644127f18fb81d45cd9d520714d6730f8b5045f4ae856afc2d9072eee06e14223daabfca1 |