Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-12-2021 03:32
Static task
static1
Behavioral task
behavioral1
Sample
a257fb9da7db9e80d787283985c8121c.exe
Resource
win7-en-20211208
General
-
Target
a257fb9da7db9e80d787283985c8121c.exe
-
Size
25KB
-
MD5
a257fb9da7db9e80d787283985c8121c
-
SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1
-
SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
-
SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
PC
8.tcp.ngrok.io:17931
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
windows_update.exeServer.exeServer.exepid process 3956 windows_update.exe 856 Server.exe 1836 Server.exe -
Drops startup file 2 IoCs
Processes:
windows_update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe windows_update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe windows_update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
a257fb9da7db9e80d787283985c8121c.exewindows_update.exepid process 3604 a257fb9da7db9e80d787283985c8121c.exe 3956 windows_update.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
windows_update.exedescription pid process Token: SeDebugPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe Token: 33 3956 windows_update.exe Token: SeIncBasePriorityPrivilege 3956 windows_update.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a257fb9da7db9e80d787283985c8121c.exewindows_update.exedescription pid process target process PID 3604 wrote to memory of 3956 3604 a257fb9da7db9e80d787283985c8121c.exe windows_update.exe PID 3604 wrote to memory of 3956 3604 a257fb9da7db9e80d787283985c8121c.exe windows_update.exe PID 3956 wrote to memory of 4360 3956 windows_update.exe schtasks.exe PID 3956 wrote to memory of 4360 3956 windows_update.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a257fb9da7db9e80d787283985c8121c.exe"C:\Users\Admin\AppData\Local\Temp\a257fb9da7db9e80d787283985c8121c.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows_update.exe"C:\Users\Admin\AppData\Roaming\windows_update.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.logMD5
ada37846cea22757d6153e65b720a367
SHA1d9c9e33987d095b32c364fe40dd6f054feaf7ea9
SHA2567daa4e8a6296b9e3df9669f6a574cbe481f2df9c751affbeb41a541173264520
SHA512592640e40ad0c6bcd8719f2cdbf828f2e322ad729c23ac3b44dd252a9c0b08d370a1cfcbcb9038cdffed0866ae4d2f8762c421f5e1a89c8d9273f482d9d2662f
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a257fb9da7db9e80d787283985c8121c
SHA12c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA51204cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a257fb9da7db9e80d787283985c8121c
SHA12c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA51204cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a257fb9da7db9e80d787283985c8121c
SHA12c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA51204cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8
-
C:\Users\Admin\AppData\Roaming\windows_update.exeMD5
a257fb9da7db9e80d787283985c8121c
SHA12c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA51204cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8
-
C:\Users\Admin\AppData\Roaming\windows_update.exeMD5
a257fb9da7db9e80d787283985c8121c
SHA12c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA51204cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8
-
memory/856-129-0x0000000000150000-0x0000000000158000-memory.dmpFilesize
32KB
-
memory/856-132-0x0000000000660000-0x0000000000662000-memory.dmpFilesize
8KB
-
memory/856-131-0x0000000000650000-0x0000000000662000-memory.dmpFilesize
72KB
-
memory/856-130-0x0000000000150000-0x0000000000158000-memory.dmpFilesize
32KB
-
memory/1836-138-0x000000001B550000-0x000000001B552000-memory.dmpFilesize
8KB
-
memory/1836-137-0x0000000000B10000-0x0000000000B22000-memory.dmpFilesize
72KB
-
memory/1836-136-0x0000000000620000-0x0000000000628000-memory.dmpFilesize
32KB
-
memory/1836-135-0x0000000000620000-0x0000000000628000-memory.dmpFilesize
32KB
-
memory/3604-116-0x0000000000F90000-0x0000000000F98000-memory.dmpFilesize
32KB
-
memory/3604-117-0x0000000003040000-0x0000000003052000-memory.dmpFilesize
72KB
-
memory/3604-118-0x000000001BB90000-0x000000001BB92000-memory.dmpFilesize
8KB
-
memory/3604-115-0x0000000000F90000-0x0000000000F98000-memory.dmpFilesize
32KB
-
memory/3956-125-0x0000000000EB0000-0x0000000000EB2000-memory.dmpFilesize
8KB
-
memory/3956-124-0x0000000000E50000-0x0000000000E62000-memory.dmpFilesize
72KB
-
memory/3956-123-0x0000000000750000-0x0000000000758000-memory.dmpFilesize
32KB
-
memory/3956-122-0x0000000000750000-0x0000000000758000-memory.dmpFilesize
32KB
-
memory/3956-119-0x0000000000000000-mapping.dmp
-
memory/4360-126-0x0000000000000000-mapping.dmp