Analysis
-
max time kernel
152s -
max time network
158s -
submitted
01-01-1970 00:00
Behavioral task
behavioral1
Sample
ab00148c33790d85112a7bc1af206c05.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ab00148c33790d85112a7bc1af206c05.exe
Resource
win10-en-20211014
General
-
Target
ab00148c33790d85112a7bc1af206c05.exe
-
Size
43KB
-
MD5
ab00148c33790d85112a7bc1af206c05
-
SHA1
abbfa0d381484c186be0747f3027c7799eaaa7d9
-
SHA256
6fccf76fe3b419e6da88a6fddf207463355d1ba85a2858c46a11713331c39f5a
-
SHA512
8a2fe6f9c1b85bc7533253dd085cffd590d38456b92d7d04edcd62b0a5ccf40f3f6f1b078eb2e56d55f079cd2c82e0f27f77075b73aee6c7928be92d563c3a4d
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
topher
savedat.duckdns.org:4782
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1184 Dllhost.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
ab00148c33790d85112a7bc1af206c05.exeDllhost.exepid process 1848 ab00148c33790d85112a7bc1af206c05.exe 1184 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe Token: 33 1184 Dllhost.exe Token: SeIncBasePriorityPrivilege 1184 Dllhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ab00148c33790d85112a7bc1af206c05.exedescription pid process target process PID 1848 wrote to memory of 1184 1848 ab00148c33790d85112a7bc1af206c05.exe Dllhost.exe PID 1848 wrote to memory of 1184 1848 ab00148c33790d85112a7bc1af206c05.exe Dllhost.exe PID 1848 wrote to memory of 1184 1848 ab00148c33790d85112a7bc1af206c05.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab00148c33790d85112a7bc1af206c05.exe"C:\Users\Admin\AppData\Local\Temp\ab00148c33790d85112a7bc1af206c05.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dllhost.exe"C:\ProgramData\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dllhost.exeMD5
ab00148c33790d85112a7bc1af206c05
SHA1abbfa0d381484c186be0747f3027c7799eaaa7d9
SHA2566fccf76fe3b419e6da88a6fddf207463355d1ba85a2858c46a11713331c39f5a
SHA5128a2fe6f9c1b85bc7533253dd085cffd590d38456b92d7d04edcd62b0a5ccf40f3f6f1b078eb2e56d55f079cd2c82e0f27f77075b73aee6c7928be92d563c3a4d
-
C:\ProgramData\Dllhost.exeMD5
ab00148c33790d85112a7bc1af206c05
SHA1abbfa0d381484c186be0747f3027c7799eaaa7d9
SHA2566fccf76fe3b419e6da88a6fddf207463355d1ba85a2858c46a11713331c39f5a
SHA5128a2fe6f9c1b85bc7533253dd085cffd590d38456b92d7d04edcd62b0a5ccf40f3f6f1b078eb2e56d55f079cd2c82e0f27f77075b73aee6c7928be92d563c3a4d
-
memory/1184-116-0x0000000000000000-mapping.dmp
-
memory/1184-119-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/1848-115-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB