Analysis
-
max time kernel
182s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:15
Behavioral task
behavioral1
Sample
db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe
Resource
win10v2004-20220414-en
General
-
Target
db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe
-
Size
43KB
-
MD5
71152f3b9a20b6bdf15451f7fefceeb5
-
SHA1
f1bfb4bbf23866b97cee0fb39895f365377003e9
-
SHA256
db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
-
SHA512
1efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
???
127.0.0.1:6626
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Dllhost.exeServer.exeServer.exepid process 624 Dllhost.exe 1488 Server.exe 340 Server.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exepid process 1680 db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 624 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe Token: 33 624 Dllhost.exe Token: SeIncBasePriorityPrivilege 624 Dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exeDllhost.exetaskeng.exedescription pid process target process PID 1680 wrote to memory of 624 1680 db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe Dllhost.exe PID 1680 wrote to memory of 624 1680 db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe Dllhost.exe PID 1680 wrote to memory of 624 1680 db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe Dllhost.exe PID 1680 wrote to memory of 624 1680 db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe Dllhost.exe PID 624 wrote to memory of 2024 624 Dllhost.exe schtasks.exe PID 624 wrote to memory of 2024 624 Dllhost.exe schtasks.exe PID 624 wrote to memory of 2024 624 Dllhost.exe schtasks.exe PID 624 wrote to memory of 2024 624 Dllhost.exe schtasks.exe PID 1120 wrote to memory of 1488 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 1488 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 1488 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 1488 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 340 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 340 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 340 1120 taskeng.exe Server.exe PID 1120 wrote to memory of 340 1120 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe"C:\Users\Admin\AppData\Local\Temp\db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {71407404-F90B-44C5-BDD7-FFCA38B573B9} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD571152f3b9a20b6bdf15451f7fefceeb5
SHA1f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA5121efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD571152f3b9a20b6bdf15451f7fefceeb5
SHA1f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA5121efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD571152f3b9a20b6bdf15451f7fefceeb5
SHA1f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA5121efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD571152f3b9a20b6bdf15451f7fefceeb5
SHA1f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA5121efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD571152f3b9a20b6bdf15451f7fefceeb5
SHA1f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA5121efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
-
\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD571152f3b9a20b6bdf15451f7fefceeb5
SHA1f1bfb4bbf23866b97cee0fb39895f365377003e9
SHA256db7e41ad958ee52cb6257330e55b25f8e9314d89719c78b524e8b76025d2252e
SHA5121efcb54168dd7abeefd5fd74147d86d8131ccb75c70b4c24673af88df4781577d31278ea8148ad061fc1177e5f9f71bdbc31e5528b7b5067ced19467bce36fb7
-
memory/340-71-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/340-68-0x0000000000000000-mapping.dmp
-
memory/624-61-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/624-57-0x0000000000000000-mapping.dmp
-
memory/1488-64-0x0000000000000000-mapping.dmp
-
memory/1488-67-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/1680-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1680-55-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/2024-62-0x0000000000000000-mapping.dmp