Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 19:52
Static task
static1
Behavioral task
behavioral1
Sample
B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
Resource
win10-en-20211014
General
-
Target
B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
-
Size
491KB
-
MD5
38ce6952a20ff8bad29372531d7d18c0
-
SHA1
394502b774b18e13b84b624cb6309e82b0980dd4
-
SHA256
b7d0ded75d90d6564378aa3cef07ee6d81043ae8f8e51fd0ea9c459617933a42
-
SHA512
6b27b9537a28d9ae10780a30eef68a6fceebaf8e1cb77307c59884e9be82b9fb37c7ee3c3c12ea34814c4d6840f25954fe505f0201a9e788d43a443bcaa718a2
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
m1
6.tcp.ngrok.io:16704
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Server.sfx.exeServer.exeTemp.exepid process 1152 Server.sfx.exe 3532 Server.exe 728 Temp.exe -
Drops startup file 2 IoCs
Processes:
Temp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Temp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Temp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Temp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp.exe\" .." Temp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp.exe\" .." Temp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Server.exeTemp.exepid process 3532 Server.exe 728 Temp.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
Temp.exedescription pid process Token: SeDebugPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe Token: 33 728 Temp.exe Token: SeIncBasePriorityPrivilege 728 Temp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.execmd.exeServer.sfx.exeServer.exeTemp.exedescription pid process target process PID 2832 wrote to memory of 768 2832 B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe cmd.exe PID 2832 wrote to memory of 768 2832 B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe cmd.exe PID 2832 wrote to memory of 768 2832 B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe cmd.exe PID 768 wrote to memory of 1152 768 cmd.exe Server.sfx.exe PID 768 wrote to memory of 1152 768 cmd.exe Server.sfx.exe PID 768 wrote to memory of 1152 768 cmd.exe Server.sfx.exe PID 1152 wrote to memory of 3532 1152 Server.sfx.exe Server.exe PID 1152 wrote to memory of 3532 1152 Server.sfx.exe Server.exe PID 1152 wrote to memory of 3532 1152 Server.sfx.exe Server.exe PID 3532 wrote to memory of 728 3532 Server.exe Temp.exe PID 3532 wrote to memory of 728 3532 Server.exe Temp.exe PID 3532 wrote to memory of 728 3532 Server.exe Temp.exe PID 728 wrote to memory of 3716 728 Temp.exe schtasks.exe PID 728 wrote to memory of 3716 728 Temp.exe schtasks.exe PID 728 wrote to memory of 3716 728 Temp.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe"C:\Users\Admin\AppData\Local\Temp\B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeServer.sfx.exe -p11113⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp.exe"C:\Users\Admin\AppData\Local\Temp\Temp.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe6⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batMD5
cec92223347872a8799157529419bce8
SHA16b8f96b457ec8c7419a298345dbb0fc1225a1019
SHA2567e09c9d1af9ca8d68ae70dc90dc2a92d35dcae7de44da8052998ba0db6dead85
SHA5121cdea463a3554f35caa357d4fa271282ff17b831a4985eda03c3fd494d4a15171c3eb7206a50fff6ae01cf2ed598b7394e56ec0034b9497ffb841cb15e12e1d0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeMD5
0151a4149ba60b63001bdb6e42e208cb
SHA1ff645213728b329d1283c85dc80fea300cfa0e49
SHA2566f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60
SHA5129deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeMD5
0151a4149ba60b63001bdb6e42e208cb
SHA1ff645213728b329d1283c85dc80fea300cfa0e49
SHA2566f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60
SHA5129deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeMD5
df24ae4ef4f5e04599c3f3a12b1f186b
SHA189472d86e58137da606226eec065100a18d4d856
SHA256e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd
SHA512e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeMD5
df24ae4ef4f5e04599c3f3a12b1f186b
SHA189472d86e58137da606226eec065100a18d4d856
SHA256e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd
SHA512e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70
-
C:\Users\Admin\AppData\Local\Temp\Temp.exeMD5
df24ae4ef4f5e04599c3f3a12b1f186b
SHA189472d86e58137da606226eec065100a18d4d856
SHA256e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd
SHA512e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70
-
C:\Users\Admin\AppData\Local\Temp\Temp.exeMD5
df24ae4ef4f5e04599c3f3a12b1f186b
SHA189472d86e58137da606226eec065100a18d4d856
SHA256e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd
SHA512e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70
-
memory/728-141-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/728-143-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/728-133-0x0000000000000000-mapping.dmp
-
memory/728-144-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/728-145-0x0000000005E30000-0x0000000005E31000-memory.dmpFilesize
4KB
-
memory/768-117-0x0000000000000000-mapping.dmp
-
memory/1152-121-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1152-122-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1152-119-0x0000000000000000-mapping.dmp
-
memory/2832-116-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/2832-115-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/3532-130-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/3532-131-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/3532-132-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/3532-129-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/3532-127-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/3532-124-0x0000000000000000-mapping.dmp
-
memory/3716-142-0x0000000000000000-mapping.dmp