Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-11-2021 13:39
Behavioral task
behavioral1
Sample
a601df2c73f63a84778303a96d681665.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
a601df2c73f63a84778303a96d681665.exe
Resource
win10-en-20211014
General
-
Target
a601df2c73f63a84778303a96d681665.exe
-
Size
43KB
-
MD5
a601df2c73f63a84778303a96d681665
-
SHA1
e24836a3c8a577bf981df3adc0b66fdea713562f
-
SHA256
64f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
-
SHA512
9c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
6.tcp.ngrok.io:10332
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
svhost.exeServer.exeServer.exepid process 820 svhost.exe 1888 Server.exe 620 Server.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
a601df2c73f63a84778303a96d681665.exepid process 1052 a601df2c73f63a84778303a96d681665.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 820 svhost.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe Token: 33 820 svhost.exe Token: SeIncBasePriorityPrivilege 820 svhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a601df2c73f63a84778303a96d681665.exesvhost.exetaskeng.exedescription pid process target process PID 1052 wrote to memory of 820 1052 a601df2c73f63a84778303a96d681665.exe svhost.exe PID 1052 wrote to memory of 820 1052 a601df2c73f63a84778303a96d681665.exe svhost.exe PID 1052 wrote to memory of 820 1052 a601df2c73f63a84778303a96d681665.exe svhost.exe PID 1052 wrote to memory of 820 1052 a601df2c73f63a84778303a96d681665.exe svhost.exe PID 820 wrote to memory of 1124 820 svhost.exe schtasks.exe PID 820 wrote to memory of 1124 820 svhost.exe schtasks.exe PID 820 wrote to memory of 1124 820 svhost.exe schtasks.exe PID 820 wrote to memory of 1124 820 svhost.exe schtasks.exe PID 996 wrote to memory of 1888 996 taskeng.exe Server.exe PID 996 wrote to memory of 1888 996 taskeng.exe Server.exe PID 996 wrote to memory of 1888 996 taskeng.exe Server.exe PID 996 wrote to memory of 1888 996 taskeng.exe Server.exe PID 996 wrote to memory of 620 996 taskeng.exe Server.exe PID 996 wrote to memory of 620 996 taskeng.exe Server.exe PID 996 wrote to memory of 620 996 taskeng.exe Server.exe PID 996 wrote to memory of 620 996 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a601df2c73f63a84778303a96d681665.exe"C:\Users\Admin\AppData\Local\Temp\a601df2c73f63a84778303a96d681665.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {FCA90A54-8552-44E2-AAA9-EBCA5B0F66D8} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a601df2c73f63a84778303a96d681665
SHA1e24836a3c8a577bf981df3adc0b66fdea713562f
SHA25664f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
SHA5129c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a601df2c73f63a84778303a96d681665
SHA1e24836a3c8a577bf981df3adc0b66fdea713562f
SHA25664f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
SHA5129c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a601df2c73f63a84778303a96d681665
SHA1e24836a3c8a577bf981df3adc0b66fdea713562f
SHA25664f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
SHA5129c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
a601df2c73f63a84778303a96d681665
SHA1e24836a3c8a577bf981df3adc0b66fdea713562f
SHA25664f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
SHA5129c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
a601df2c73f63a84778303a96d681665
SHA1e24836a3c8a577bf981df3adc0b66fdea713562f
SHA25664f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
SHA5129c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
-
\Users\Admin\AppData\Local\Temp\svhost.exeMD5
a601df2c73f63a84778303a96d681665
SHA1e24836a3c8a577bf981df3adc0b66fdea713562f
SHA25664f9f7907d9d7c486cbad8d452c75cfed218ec8b8a1dccf97764a284085919a0
SHA5129c08357ecff7846b4fb526df932fe4e65b9af2f567baf0c64480ca9c94ba3812a3a4d19d76a4721b8c9ca0f3cd07e71d6aca3f414096077a08f79ada161f6f7b
-
memory/620-78-0x0000000001FA0000-0x0000000001FA1000-memory.dmpFilesize
4KB
-
memory/620-76-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/620-74-0x0000000000000000-mapping.dmp
-
memory/820-60-0x0000000000000000-mapping.dmp
-
memory/820-65-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/820-63-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1052-55-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1052-58-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1052-57-0x0000000001E70000-0x0000000001E71000-memory.dmpFilesize
4KB
-
memory/1124-67-0x0000000000000000-mapping.dmp
-
memory/1888-69-0x0000000000000000-mapping.dmp
-
memory/1888-71-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1888-73-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB