Analysis
-
max time kernel
187s -
max time network
198s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe
Resource
win10v2004-20220414-en
General
-
Target
9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe
-
Size
219KB
-
MD5
d4b767364b44696a5f507c46359ba400
-
SHA1
94dafff404e1f36749a885de5614d7ef3741763d
-
SHA256
9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac
-
SHA512
1fa0c8818a0c7cf00526a60e2705312f4bd31c73a9dc3e2993d051bc2f78a2f58db28ae0be017fac9c38bf620181fc97f4647fac2a9f97a4e163d16c9e07d1b4
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
bozuksaatiniz.duckdns.org:1604
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 1708 systemupdate.exe -
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe -
Loads dropped DLL 1 IoCs
Processes:
9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exepid process 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
systemupdate.exepid process 1708 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 1708 systemupdate.exe Token: 33 1708 systemupdate.exe Token: SeIncBasePriorityPrivilege 1708 systemupdate.exe Token: 33 1708 systemupdate.exe Token: SeIncBasePriorityPrivilege 1708 systemupdate.exe Token: 33 1708 systemupdate.exe Token: SeIncBasePriorityPrivilege 1708 systemupdate.exe Token: 33 1708 systemupdate.exe Token: SeIncBasePriorityPrivilege 1708 systemupdate.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exedescription pid process target process PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe PID 992 wrote to memory of 1708 992 9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe"C:\Users\Admin\AppData\Local\Temp\9047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
219KB
MD5d4b767364b44696a5f507c46359ba400
SHA194dafff404e1f36749a885de5614d7ef3741763d
SHA2569047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac
SHA5121fa0c8818a0c7cf00526a60e2705312f4bd31c73a9dc3e2993d051bc2f78a2f58db28ae0be017fac9c38bf620181fc97f4647fac2a9f97a4e163d16c9e07d1b4
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
219KB
MD5d4b767364b44696a5f507c46359ba400
SHA194dafff404e1f36749a885de5614d7ef3741763d
SHA2569047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac
SHA5121fa0c8818a0c7cf00526a60e2705312f4bd31c73a9dc3e2993d051bc2f78a2f58db28ae0be017fac9c38bf620181fc97f4647fac2a9f97a4e163d16c9e07d1b4
-
\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
219KB
MD5d4b767364b44696a5f507c46359ba400
SHA194dafff404e1f36749a885de5614d7ef3741763d
SHA2569047cdc0d2b4545510afd790a22a2b8ae80ffd93417fc9298c45ce19c9e6afac
SHA5121fa0c8818a0c7cf00526a60e2705312f4bd31c73a9dc3e2993d051bc2f78a2f58db28ae0be017fac9c38bf620181fc97f4647fac2a9f97a4e163d16c9e07d1b4
-
memory/992-54-0x0000000000CD0000-0x0000000000D0E000-memory.dmpFilesize
248KB
-
memory/992-55-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/992-56-0x00000000002B0000-0x00000000002C2000-memory.dmpFilesize
72KB
-
memory/992-57-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1708-59-0x0000000000000000-mapping.dmp
-
memory/1708-62-0x00000000010C0000-0x00000000010FE000-memory.dmpFilesize
248KB