Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:02
Behavioral task
behavioral1
Sample
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Resource
win7-20220414-en
General
-
Target
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
-
Size
43KB
-
MD5
c54e7c59801c9511c895bdaf7785606f
-
SHA1
cab96e75aae14048b13a6329013d719bc0b8a7dc
-
SHA256
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68
-
SHA512
196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
109.252.122.56:1601
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exeServer.exepid process 580 Server.exe 1492 Server.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exepid process 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exedescription pid process Token: SeDebugPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: 33 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe Token: SeIncBasePriorityPrivilege 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exetaskeng.exedescription pid process target process PID 2024 wrote to memory of 1440 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe schtasks.exe PID 2024 wrote to memory of 1440 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe schtasks.exe PID 2024 wrote to memory of 1440 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe schtasks.exe PID 2024 wrote to memory of 1440 2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe schtasks.exe PID 1000 wrote to memory of 580 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 580 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 580 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 580 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 1492 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 1492 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 1492 1000 taskeng.exe Server.exe PID 1000 wrote to memory of 1492 1000 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe"C:\Users\Admin\AppData\Local\Temp\0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {72DE8DF7-F9A7-4E8F-B795-C0B593225DD9} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c54e7c59801c9511c895bdaf7785606f
SHA1cab96e75aae14048b13a6329013d719bc0b8a7dc
SHA2560159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68
SHA512196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c54e7c59801c9511c895bdaf7785606f
SHA1cab96e75aae14048b13a6329013d719bc0b8a7dc
SHA2560159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68
SHA512196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c54e7c59801c9511c895bdaf7785606f
SHA1cab96e75aae14048b13a6329013d719bc0b8a7dc
SHA2560159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68
SHA512196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33
-
memory/580-58-0x0000000000000000-mapping.dmp
-
memory/580-60-0x0000000000E00000-0x0000000000E12000-memory.dmpFilesize
72KB
-
memory/1440-55-0x0000000000000000-mapping.dmp
-
memory/1492-61-0x0000000000000000-mapping.dmp
-
memory/1492-63-0x0000000000E90000-0x0000000000EA2000-memory.dmpFilesize
72KB
-
memory/2024-54-0x00000000013C0000-0x00000000013D2000-memory.dmpFilesize
72KB
-
memory/2024-56-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB