Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-01-2022 23:21
Behavioral task
behavioral1
Sample
a525852c019588983cd5dfaf14ad6adb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a525852c019588983cd5dfaf14ad6adb.exe
Resource
win10-en-20211208
General
-
Target
a525852c019588983cd5dfaf14ad6adb.exe
-
Size
43KB
-
MD5
a525852c019588983cd5dfaf14ad6adb
-
SHA1
3f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
-
SHA256
bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
-
SHA512
37362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
8.tcp.ngrok.io:11826
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
Dllhost.exeServer.exeServer.exepid process 1248 Dllhost.exe 1496 Server.exe 1856 Server.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
a525852c019588983cd5dfaf14ad6adb.exepid process 1668 a525852c019588983cd5dfaf14ad6adb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
a525852c019588983cd5dfaf14ad6adb.exeDllhost.exepid process 1668 a525852c019588983cd5dfaf14ad6adb.exe 1248 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe Token: 33 1248 Dllhost.exe Token: SeIncBasePriorityPrivilege 1248 Dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a525852c019588983cd5dfaf14ad6adb.exeDllhost.exetaskeng.exedescription pid process target process PID 1668 wrote to memory of 1248 1668 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 1668 wrote to memory of 1248 1668 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 1668 wrote to memory of 1248 1668 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 1668 wrote to memory of 1248 1668 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 1248 wrote to memory of 1852 1248 Dllhost.exe schtasks.exe PID 1248 wrote to memory of 1852 1248 Dllhost.exe schtasks.exe PID 1248 wrote to memory of 1852 1248 Dllhost.exe schtasks.exe PID 1248 wrote to memory of 1852 1248 Dllhost.exe schtasks.exe PID 1316 wrote to memory of 1496 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1496 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1496 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1496 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1856 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1856 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1856 1316 taskeng.exe Server.exe PID 1316 wrote to memory of 1856 1316 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a525852c019588983cd5dfaf14ad6adb.exe"C:\Users\Admin\AppData\Local\Temp\a525852c019588983cd5dfaf14ad6adb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dllhost.exe"C:\ProgramData\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {816F4E56-B116-4FCB-9A12-93F2F02B458C} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dllhost.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\ProgramData\Dllhost.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
\ProgramData\Dllhost.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
memory/1248-60-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB
-
memory/1248-61-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1496-65-0x00000000000A0000-0x00000000000B2000-memory.dmpFilesize
72KB
-
memory/1496-66-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/1668-54-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1668-56-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1668-55-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1856-68-0x0000000000D10000-0x0000000000D22000-memory.dmpFilesize
72KB
-
memory/1856-69-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB