Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe
Resource
win10v2004-20220414-en
General
-
Target
803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe
-
Size
25KB
-
MD5
6885b91d3e5c45fd2055477d11803f9c
-
SHA1
3ba4c6210e6354a3d12b9a28ec0d3132d75bb286
-
SHA256
803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3
-
SHA512
ef6989687d71736de385b6d162d92e8ea172fe4b4596e57532652425701bbdc48523e5bb418e39a7873f131d94235b6d505d9cfe32c8c484c6e9b4e1d603ad4a
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1272 AcroRd32.exe 1272 AcroRd32.exe 1272 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exerundll32.exedescription pid process target process PID 880 wrote to memory of 1304 880 803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe rundll32.exe PID 880 wrote to memory of 1304 880 803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe rundll32.exe PID 880 wrote to memory of 1304 880 803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe rundll32.exe PID 1304 wrote to memory of 1272 1304 rundll32.exe AcroRd32.exe PID 1304 wrote to memory of 1272 1304 rundll32.exe AcroRd32.exe PID 1304 wrote to memory of 1272 1304 rundll32.exe AcroRd32.exe PID 1304 wrote to memory of 1272 1304 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe"C:\Users\Admin\AppData\Local\Temp\803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\chlen2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\chlen"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\chlenFilesize
25KB
MD56885b91d3e5c45fd2055477d11803f9c
SHA13ba4c6210e6354a3d12b9a28ec0d3132d75bb286
SHA256803a49f017316dba1cbb2f6ee455b14df6f90b519a44f573e64ade6c666133a3
SHA512ef6989687d71736de385b6d162d92e8ea172fe4b4596e57532652425701bbdc48523e5bb418e39a7873f131d94235b6d505d9cfe32c8c484c6e9b4e1d603ad4a
-
memory/880-54-0x00000000003B0000-0x00000000003B8000-memory.dmpFilesize
32KB
-
memory/880-55-0x00000000001D0000-0x00000000001E2000-memory.dmpFilesize
72KB
-
memory/880-56-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmpFilesize
8KB
-
memory/1272-60-0x0000000000000000-mapping.dmp
-
memory/1272-61-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1304-57-0x0000000000000000-mapping.dmp