Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:20
Behavioral task
behavioral1
Sample
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe
Resource
win7-20220414-en
General
-
Target
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe
-
Size
43KB
-
MD5
0347c6dabe49d64b141bc6aebe418ff1
-
SHA1
8d5f90740453bf5c37df549cfeebea3cf5fe3bc0
-
SHA256
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014
-
SHA512
725a07b4026712d1081bd8239d942f12cfe20b81c043496ba00af70275af4b38160dffd709bb35612d043afe2132afd220e918c4e3ba6c2bddde81cc58018a1c
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
Hacker
127.0.0.1:3566
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exeServer.exepid process 708 Server.exe 576 Server.exe -
Drops startup file 2 IoCs
Processes:
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exepid process 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exedescription pid process Token: SeDebugPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: 33 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe Token: SeIncBasePriorityPrivilege 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exetaskeng.exedescription pid process target process PID 880 wrote to memory of 952 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe schtasks.exe PID 880 wrote to memory of 952 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe schtasks.exe PID 880 wrote to memory of 952 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe schtasks.exe PID 880 wrote to memory of 952 880 ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe schtasks.exe PID 1780 wrote to memory of 708 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 708 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 708 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 708 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 576 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 576 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 576 1780 taskeng.exe Server.exe PID 1780 wrote to memory of 576 1780 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe"C:\Users\Admin\AppData\Local\Temp\ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014.exe"1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {59B67502-0948-4D04-9FF2-10C699A95A89} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD50347c6dabe49d64b141bc6aebe418ff1
SHA18d5f90740453bf5c37df549cfeebea3cf5fe3bc0
SHA256ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014
SHA512725a07b4026712d1081bd8239d942f12cfe20b81c043496ba00af70275af4b38160dffd709bb35612d043afe2132afd220e918c4e3ba6c2bddde81cc58018a1c
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD50347c6dabe49d64b141bc6aebe418ff1
SHA18d5f90740453bf5c37df549cfeebea3cf5fe3bc0
SHA256ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014
SHA512725a07b4026712d1081bd8239d942f12cfe20b81c043496ba00af70275af4b38160dffd709bb35612d043afe2132afd220e918c4e3ba6c2bddde81cc58018a1c
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD50347c6dabe49d64b141bc6aebe418ff1
SHA18d5f90740453bf5c37df549cfeebea3cf5fe3bc0
SHA256ad34adbfdf41932a8891f1209113c9cc5d7465214af85d1d9861d9bd11ef1014
SHA512725a07b4026712d1081bd8239d942f12cfe20b81c043496ba00af70275af4b38160dffd709bb35612d043afe2132afd220e918c4e3ba6c2bddde81cc58018a1c
-
memory/576-61-0x0000000000000000-mapping.dmp
-
memory/708-58-0x0000000000000000-mapping.dmp
-
memory/708-60-0x0000000000FF0000-0x0000000001002000-memory.dmpFilesize
72KB
-
memory/880-54-0x0000000000CA0000-0x0000000000CB2000-memory.dmpFilesize
72KB
-
memory/880-55-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/952-56-0x0000000000000000-mapping.dmp