Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-01-2022 23:21
Behavioral task
behavioral1
Sample
a525852c019588983cd5dfaf14ad6adb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a525852c019588983cd5dfaf14ad6adb.exe
Resource
win10-en-20211208
General
-
Target
a525852c019588983cd5dfaf14ad6adb.exe
-
Size
43KB
-
MD5
a525852c019588983cd5dfaf14ad6adb
-
SHA1
3f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
-
SHA256
bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
-
SHA512
37362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
8.tcp.ngrok.io:11826
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
Dllhost.exeServer.exeServer.exepid process 1088 Dllhost.exe 1888 Server.exe 2088 Server.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
a525852c019588983cd5dfaf14ad6adb.exeDllhost.exepid process 3932 a525852c019588983cd5dfaf14ad6adb.exe 1088 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe Token: 33 1088 Dllhost.exe Token: SeIncBasePriorityPrivilege 1088 Dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a525852c019588983cd5dfaf14ad6adb.exeDllhost.exedescription pid process target process PID 3932 wrote to memory of 1088 3932 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 3932 wrote to memory of 1088 3932 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 3932 wrote to memory of 1088 3932 a525852c019588983cd5dfaf14ad6adb.exe Dllhost.exe PID 1088 wrote to memory of 1952 1088 Dllhost.exe schtasks.exe PID 1088 wrote to memory of 1952 1088 Dllhost.exe schtasks.exe PID 1088 wrote to memory of 1952 1088 Dllhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a525852c019588983cd5dfaf14ad6adb.exe"C:\Users\Admin\AppData\Local\Temp\a525852c019588983cd5dfaf14ad6adb.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dllhost.exe"C:\ProgramData\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dllhost.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\ProgramData\Dllhost.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.logMD5
0de4a673c46d192f575c41e7c80ffc3e
SHA17a1da7e8ec2efd904ecb237ebedd4d7a3ee826f1
SHA256c18d0ff8e7b83a8623a8515d91d65f68deef6da9f68d84886864177f45acbf65
SHA512b505619848b2f6038e68a2d7baaa4cf314d39023a5b7a32001262ecda03a905986ac8a45a249745e29637b0acfaba1ae06bfaecc678283a808e6f9f4b455e209
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a525852c019588983cd5dfaf14ad6adb
SHA13f42d19e1a1cca9ed6dfb5146e70bd3713d23bc4
SHA256bfeffd6642e3138ba6728ebda1c241d052c9add4f4b4a6a108104bc46656180a
SHA51237362fd970df11ba79f4aa557d07f5729c8f1d6497367aaabf8e8d4bfb162601ba5071a76cad7c72d731cd54ed39b17fd054f9d6b54c5efd81dc9623cff2f619
-
memory/1088-123-0x00000000058B0000-0x00000000058BA000-memory.dmpFilesize
40KB
-
memory/1088-122-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/1088-124-0x0000000005E80000-0x0000000005EE6000-memory.dmpFilesize
408KB
-
memory/1088-125-0x00000000060B0000-0x00000000060C8000-memory.dmpFilesize
96KB
-
memory/1888-128-0x0000000004C20000-0x0000000004CBC000-memory.dmpFilesize
624KB
-
memory/2088-131-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3932-115-0x00000000008D0000-0x00000000008E2000-memory.dmpFilesize
72KB
-
memory/3932-119-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3932-118-0x0000000005670000-0x0000000005702000-memory.dmpFilesize
584KB
-
memory/3932-117-0x0000000005AD0000-0x0000000005FCE000-memory.dmpFilesize
5.0MB
-
memory/3932-116-0x0000000005260000-0x00000000052FC000-memory.dmpFilesize
624KB