Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 06:21
Behavioral task
behavioral1
Sample
8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
Resource
win10v2004-20220414-en
General
-
Target
8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
-
Size
43KB
-
MD5
3b55809e2326045149325b153cbeef00
-
SHA1
0df1e0201205eba38ace968587ee43421e902857
-
SHA256
8a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436
-
SHA512
38cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
topher
eses46.noip.me:1605
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1320 Dllhost.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exepid process 948 8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1320 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe Token: 33 1320 Dllhost.exe Token: SeIncBasePriorityPrivilege 1320 Dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exedescription pid process target process PID 948 wrote to memory of 1320 948 8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe Dllhost.exe PID 948 wrote to memory of 1320 948 8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe Dllhost.exe PID 948 wrote to memory of 1320 948 8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe Dllhost.exe PID 948 wrote to memory of 1320 948 8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe"C:\Users\Admin\AppData\Local\Temp\8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD53b55809e2326045149325b153cbeef00
SHA10df1e0201205eba38ace968587ee43421e902857
SHA2568a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436
SHA51238cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD53b55809e2326045149325b153cbeef00
SHA10df1e0201205eba38ace968587ee43421e902857
SHA2568a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436
SHA51238cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e
-
\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD53b55809e2326045149325b153cbeef00
SHA10df1e0201205eba38ace968587ee43421e902857
SHA2568a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436
SHA51238cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e
-
memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/948-55-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1320-57-0x0000000000000000-mapping.dmp
-
memory/1320-61-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB