Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 21:45
Behavioral task
behavioral1
Sample
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Resource
win10v2004-20220414-en
General
-
Target
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
-
Size
43KB
-
MD5
b52b066ef534b240de3eb73cf67b7963
-
SHA1
4e3e84e546d30a8fc1c2d89e68559110a3a65b2b
-
SHA256
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2
-
SHA512
d87d044384f3ff53f2d3f56d6e796d11f767f1d20697d826c3ef91a0ba082c0ab8ba159cf023080b85e0fcf5564870828cd02e19d5185d57de1c5b545593e469
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
Processes:
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe\" .." 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe\" .." 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exepid process 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exedescription pid process Token: SeDebugPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: 33 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe Token: SeIncBasePriorityPrivilege 1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe"C:\Users\Admin\AppData\Local\Temp\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken