Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
Resource
win10v2004-20220414-en
General
-
Target
078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
-
Size
350KB
-
MD5
5d06ee3b0572ce04a5e53e25233dc693
-
SHA1
0aad02d7f40c706876c82bec8a2b67a1b81b678c
-
SHA256
078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615
-
SHA512
7ac400882991331e077af57cad5ebdd7d0614c5c1f24ca397865a9f80c3bfe8d4f68e0a00ca807a05196a0d1acef95f3fce0cc2d4efe8e9a21e9f71e61415787
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
hack
gazik500.ddns.net:4444
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Dannie.exeserver.exesvchost.exepid process 948 Dannie.exe 1692 server.exe 1936 svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exeDannie.exeserver.exepid process 1904 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe 948 Dannie.exe 1692 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Drops file in Program Files directory 6 IoCs
Processes:
Dannie.exedescription ioc process File opened for modification C:\Program Files (x86)\d; Dannie.exe File created C:\Program Files (x86)\d;\__tmp_rar_sfx_access_check_7079044 Dannie.exe File created C:\Program Files (x86)\d;\11.jpg Dannie.exe File opened for modification C:\Program Files (x86)\d;\11.jpg Dannie.exe File created C:\Program Files (x86)\d;\Server.exe Dannie.exe File opened for modification C:\Program Files (x86)\d;\Server.exe Dannie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1936 svchost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe Token: 33 1936 svchost.exe Token: SeIncBasePriorityPrivilege 1936 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DllHost.exepid process 2044 DllHost.exe 2044 DllHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exeDannie.exeserver.exedescription pid process target process PID 1904 wrote to memory of 948 1904 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe Dannie.exe PID 1904 wrote to memory of 948 1904 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe Dannie.exe PID 1904 wrote to memory of 948 1904 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe Dannie.exe PID 1904 wrote to memory of 948 1904 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe Dannie.exe PID 948 wrote to memory of 1692 948 Dannie.exe server.exe PID 948 wrote to memory of 1692 948 Dannie.exe server.exe PID 948 wrote to memory of 1692 948 Dannie.exe server.exe PID 948 wrote to memory of 1692 948 Dannie.exe server.exe PID 1692 wrote to memory of 1936 1692 server.exe svchost.exe PID 1692 wrote to memory of 1936 1692 server.exe svchost.exe PID 1692 wrote to memory of 1936 1692 server.exe svchost.exe PID 1692 wrote to memory of 1936 1692 server.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe"C:\Users\Admin\AppData\Local\Temp\078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dannie.exe"C:\Users\Admin\AppData\Local\Temp\Dannie.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\d;\server.exe"C:\Program Files (x86)\d;\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\d;\11.jpgFilesize
2KB
MD50a2a9ddec329aaa6ed47a7d4f109f99d
SHA1735dc8517bdc9244c0b35f5479b20f16620da4cc
SHA256d5051d42b16dc69e6d16aaa8db6d6e83446a879571c376f96902404f0b5ff513
SHA512e9c59dbce92a045a8e4e3f0ec44eea53582efba1510447dfdd6f86c2ff8ad161891f0c88c7310513d54263de7d6c64839e53705773d08d065c59370340a61653
-
C:\Program Files (x86)\d;\Server.exeFilesize
43KB
MD54890d2eb768ec17a3a6ee2ab12209d74
SHA19bc2b46e4760e26bf95541b13a39348dfa0b2680
SHA2561110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64
SHA51278d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1
-
C:\Program Files (x86)\d;\server.exeFilesize
43KB
MD54890d2eb768ec17a3a6ee2ab12209d74
SHA19bc2b46e4760e26bf95541b13a39348dfa0b2680
SHA2561110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64
SHA51278d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1
-
C:\Users\Admin\AppData\Local\Temp\166740_after.pngFilesize
28KB
MD57851d21cc91c3f497a475f9a21973ba4
SHA170d13fe57f545c82e22e233267fc56d617d84595
SHA25663a5ee6b1fceadc7ece7f59fc131f65d7df99f9026237dceeffba79aca4d73fc
SHA512c4dd28d8a3805ff99501bb8f00f54f8a6ec967c12006d8ed7b4ba8c6ff92c4ef96ea0f9ba14ca35ef57600944c972d17e96823bf3bb2927884668cae93367cc9
-
C:\Users\Admin\AppData\Local\Temp\Dannie.exeFilesize
304KB
MD558c9d12aa7923001d6811467593d9f3a
SHA1006c7e47c382a2699fcbc1acc55b4b2b280a3397
SHA256eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b
SHA51234e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c
-
C:\Users\Admin\AppData\Local\Temp\Dannie.exeFilesize
304KB
MD558c9d12aa7923001d6811467593d9f3a
SHA1006c7e47c382a2699fcbc1acc55b4b2b280a3397
SHA256eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b
SHA51234e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54890d2eb768ec17a3a6ee2ab12209d74
SHA19bc2b46e4760e26bf95541b13a39348dfa0b2680
SHA2561110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64
SHA51278d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54890d2eb768ec17a3a6ee2ab12209d74
SHA19bc2b46e4760e26bf95541b13a39348dfa0b2680
SHA2561110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64
SHA51278d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1
-
\Program Files (x86)\d;\Server.exeFilesize
43KB
MD54890d2eb768ec17a3a6ee2ab12209d74
SHA19bc2b46e4760e26bf95541b13a39348dfa0b2680
SHA2561110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64
SHA51278d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1
-
\Users\Admin\AppData\Local\Temp\Dannie.exeFilesize
304KB
MD558c9d12aa7923001d6811467593d9f3a
SHA1006c7e47c382a2699fcbc1acc55b4b2b280a3397
SHA256eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b
SHA51234e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54890d2eb768ec17a3a6ee2ab12209d74
SHA19bc2b46e4760e26bf95541b13a39348dfa0b2680
SHA2561110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64
SHA51278d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/1692-62-0x0000000000000000-mapping.dmp
-
memory/1692-65-0x0000000000200000-0x0000000000212000-memory.dmpFilesize
72KB
-
memory/1904-54-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB
-
memory/1936-70-0x0000000000000000-mapping.dmp
-
memory/1936-73-0x0000000000970000-0x0000000000982000-memory.dmpFilesize
72KB