Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
07-01-2022 01:12
Behavioral task
behavioral1
Sample
b93287f2b98af1aefebef7a4b46a689c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b93287f2b98af1aefebef7a4b46a689c.exe
Resource
win10-en-20211208
General
-
Target
b93287f2b98af1aefebef7a4b46a689c.exe
-
Size
43KB
-
MD5
b93287f2b98af1aefebef7a4b46a689c
-
SHA1
1329369d122864910f735aa6b1740e85516806c1
-
SHA256
bfa74e548efbc9dda9420f88bb84f6f23c034399a16df9093b6a27e33621e44b
-
SHA512
7fe3185f2c9f0b37f69f780fecb0ff8240116267249212b39371d4966453c6cd018f43b8690c06e5f3beb79a1a2103625e6bd408b284a066eef36c4d5111f067
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
6.tcp.ngrok.io:15544
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
dllhost.exeServer.exeServer.exepid process 924 dllhost.exe 1220 Server.exe 2572 Server.exe -
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.exe dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.exe dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
b93287f2b98af1aefebef7a4b46a689c.exedllhost.exepid process 1108 b93287f2b98af1aefebef7a4b46a689c.exe 924 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe Token: 33 924 dllhost.exe Token: SeIncBasePriorityPrivilege 924 dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b93287f2b98af1aefebef7a4b46a689c.exedllhost.exedescription pid process target process PID 1108 wrote to memory of 924 1108 b93287f2b98af1aefebef7a4b46a689c.exe dllhost.exe PID 1108 wrote to memory of 924 1108 b93287f2b98af1aefebef7a4b46a689c.exe dllhost.exe PID 1108 wrote to memory of 924 1108 b93287f2b98af1aefebef7a4b46a689c.exe dllhost.exe PID 924 wrote to memory of 1868 924 dllhost.exe schtasks.exe PID 924 wrote to memory of 1868 924 dllhost.exe schtasks.exe PID 924 wrote to memory of 1868 924 dllhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93287f2b98af1aefebef7a4b46a689c.exe"C:\Users\Admin\AppData\Local\Temp\b93287f2b98af1aefebef7a4b46a689c.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.logMD5
7ad3ed2af1de925a18f2d8cb0ea3fddc
SHA1725c8ea78d0493d127493a36c60b359affddcfca
SHA256e32faf8019c289b7fe1ba6db31a6ccc2aaed75953b5953f8f24a6a08cba1f795
SHA512eb423180b7925a62e19f1d612ea007cc4961394a426aac44fc9a4d9085e05ec1686842d8f0eab67c262416caff42b8fe812f6dc3d86372168f262d9bf577ead2
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
b93287f2b98af1aefebef7a4b46a689c
SHA11329369d122864910f735aa6b1740e85516806c1
SHA256bfa74e548efbc9dda9420f88bb84f6f23c034399a16df9093b6a27e33621e44b
SHA5127fe3185f2c9f0b37f69f780fecb0ff8240116267249212b39371d4966453c6cd018f43b8690c06e5f3beb79a1a2103625e6bd408b284a066eef36c4d5111f067
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
b93287f2b98af1aefebef7a4b46a689c
SHA11329369d122864910f735aa6b1740e85516806c1
SHA256bfa74e548efbc9dda9420f88bb84f6f23c034399a16df9093b6a27e33621e44b
SHA5127fe3185f2c9f0b37f69f780fecb0ff8240116267249212b39371d4966453c6cd018f43b8690c06e5f3beb79a1a2103625e6bd408b284a066eef36c4d5111f067
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
b93287f2b98af1aefebef7a4b46a689c
SHA11329369d122864910f735aa6b1740e85516806c1
SHA256bfa74e548efbc9dda9420f88bb84f6f23c034399a16df9093b6a27e33621e44b
SHA5127fe3185f2c9f0b37f69f780fecb0ff8240116267249212b39371d4966453c6cd018f43b8690c06e5f3beb79a1a2103625e6bd408b284a066eef36c4d5111f067
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeMD5
b93287f2b98af1aefebef7a4b46a689c
SHA11329369d122864910f735aa6b1740e85516806c1
SHA256bfa74e548efbc9dda9420f88bb84f6f23c034399a16df9093b6a27e33621e44b
SHA5127fe3185f2c9f0b37f69f780fecb0ff8240116267249212b39371d4966453c6cd018f43b8690c06e5f3beb79a1a2103625e6bd408b284a066eef36c4d5111f067
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeMD5
b93287f2b98af1aefebef7a4b46a689c
SHA11329369d122864910f735aa6b1740e85516806c1
SHA256bfa74e548efbc9dda9420f88bb84f6f23c034399a16df9093b6a27e33621e44b
SHA5127fe3185f2c9f0b37f69f780fecb0ff8240116267249212b39371d4966453c6cd018f43b8690c06e5f3beb79a1a2103625e6bd408b284a066eef36c4d5111f067
-
memory/924-116-0x0000000000000000-mapping.dmp
-
memory/924-119-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/1108-115-0x0000000002AD0000-0x0000000002AD1000-memory.dmpFilesize
4KB
-
memory/1220-123-0x0000000001920000-0x0000000001921000-memory.dmpFilesize
4KB
-
memory/1868-120-0x0000000000000000-mapping.dmp
-
memory/2572-126-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB