Analysis
-
max time kernel
149s -
max time network
185s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 07:36
Behavioral task
behavioral1
Sample
a872f0414e0834acab687a8beb9b3a6b.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
a872f0414e0834acab687a8beb9b3a6b.exe
Resource
win10-en-20211014
General
-
Target
a872f0414e0834acab687a8beb9b3a6b.exe
-
Size
43KB
-
MD5
a872f0414e0834acab687a8beb9b3a6b
-
SHA1
3c5e60d56a0fe1378453e38ee4be9a589f3f6f83
-
SHA256
e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
-
SHA512
22c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
???
0.tcp.ngrok.io:15651
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
Dllhost.exeServer.exeServer.exepid process 1736 Dllhost.exe 1080 Server.exe 1168 Server.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
a872f0414e0834acab687a8beb9b3a6b.exepid process 368 a872f0414e0834acab687a8beb9b3a6b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1736 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe Token: 33 1736 Dllhost.exe Token: SeIncBasePriorityPrivilege 1736 Dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a872f0414e0834acab687a8beb9b3a6b.exeDllhost.exetaskeng.exedescription pid process target process PID 368 wrote to memory of 1736 368 a872f0414e0834acab687a8beb9b3a6b.exe Dllhost.exe PID 368 wrote to memory of 1736 368 a872f0414e0834acab687a8beb9b3a6b.exe Dllhost.exe PID 368 wrote to memory of 1736 368 a872f0414e0834acab687a8beb9b3a6b.exe Dllhost.exe PID 368 wrote to memory of 1736 368 a872f0414e0834acab687a8beb9b3a6b.exe Dllhost.exe PID 1736 wrote to memory of 1452 1736 Dllhost.exe schtasks.exe PID 1736 wrote to memory of 1452 1736 Dllhost.exe schtasks.exe PID 1736 wrote to memory of 1452 1736 Dllhost.exe schtasks.exe PID 1736 wrote to memory of 1452 1736 Dllhost.exe schtasks.exe PID 1192 wrote to memory of 1080 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1080 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1080 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1080 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1168 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1168 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1168 1192 taskeng.exe Server.exe PID 1192 wrote to memory of 1168 1192 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a872f0414e0834acab687a8beb9b3a6b.exe"C:\Users\Admin\AppData\Local\Temp\a872f0414e0834acab687a8beb9b3a6b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {0DEA3A45-67DD-49E1-919B-7273CE2911A5} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a872f0414e0834acab687a8beb9b3a6b
SHA13c5e60d56a0fe1378453e38ee4be9a589f3f6f83
SHA256e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
SHA51222c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a872f0414e0834acab687a8beb9b3a6b
SHA13c5e60d56a0fe1378453e38ee4be9a589f3f6f83
SHA256e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
SHA51222c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a872f0414e0834acab687a8beb9b3a6b
SHA13c5e60d56a0fe1378453e38ee4be9a589f3f6f83
SHA256e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
SHA51222c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeMD5
a872f0414e0834acab687a8beb9b3a6b
SHA13c5e60d56a0fe1378453e38ee4be9a589f3f6f83
SHA256e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
SHA51222c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeMD5
a872f0414e0834acab687a8beb9b3a6b
SHA13c5e60d56a0fe1378453e38ee4be9a589f3f6f83
SHA256e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
SHA51222c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
-
\Users\Admin\AppData\Roaming\Dllhost.exeMD5
a872f0414e0834acab687a8beb9b3a6b
SHA13c5e60d56a0fe1378453e38ee4be9a589f3f6f83
SHA256e5a4e8eda9d21d29b21f4d665823cdcbf9fb7004c8a4e6f74df126249b46c67f
SHA51222c82bfdf3026e000bbbc2601598a55402ddcf73cdee1a36a94b2f2669bb9d2926f9dbb78d2d8a1be2c0b08c86b5085bc8e2971663e69ec8d559caf5088be8db
-
memory/368-56-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/368-54-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/368-57-0x0000000074B41000-0x0000000074B43000-memory.dmpFilesize
8KB
-
memory/1080-67-0x0000000000000000-mapping.dmp
-
memory/1080-69-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/1080-71-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1168-76-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/1168-74-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/1168-72-0x0000000000000000-mapping.dmp
-
memory/1452-65-0x0000000000000000-mapping.dmp
-
memory/1736-62-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1736-59-0x0000000000000000-mapping.dmp
-
memory/1736-64-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB