Analysis
-
max time kernel
163s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe
Resource
win10v2004-20220414-en
General
-
Target
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe
-
Size
315KB
-
MD5
e1ea40d6ef078ec64d2b20058637c247
-
SHA1
4647b7b0bd5ff4ce0ca902833ef34cf23a0ae163
-
SHA256
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176
-
SHA512
b3ad8e5366dc2be103c5737e68774022138ee3de3603c2a0071e385c8abda82a0fd44a975d3f9544e1f449750bb6d1b9af40cfdaf42285f4d05a7ea2642bcff9
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
gazik500.ddns.net:4444
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Itsg.exeDADADA.exepid process 804 Itsg.exe 1632 DADADA.exe -
Drops startup file 2 IoCs
Processes:
DADADA.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe DADADA.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe DADADA.exe -
Loads dropped DLL 4 IoCs
Processes:
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exeItsg.exepid process 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe 804 Itsg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DADADA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DADADA.exe\" .." DADADA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DADADA.exe\" .." DADADA.exe -
Drops file in Program Files directory 5 IoCs
Processes:
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exedescription ioc process File opened for modification C:\Program Files (x86)\hack.png 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File created C:\Program Files (x86)\__tmp_rar_sfx_access_check_7090744 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File created C:\Program Files (x86)\Itsg.exe 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File opened for modification C:\Program Files (x86)\Itsg.exe 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe File created C:\Program Files (x86)\hack.png 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DADADA.exepid process 1632 DADADA.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
DADADA.exedescription pid process Token: SeDebugPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe Token: 33 1632 DADADA.exe Token: SeIncBasePriorityPrivilege 1632 DADADA.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exeItsg.exedescription pid process target process PID 900 wrote to memory of 804 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 900 wrote to memory of 804 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 900 wrote to memory of 804 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 900 wrote to memory of 804 900 14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe Itsg.exe PID 804 wrote to memory of 1632 804 Itsg.exe DADADA.exe PID 804 wrote to memory of 1632 804 Itsg.exe DADADA.exe PID 804 wrote to memory of 1632 804 Itsg.exe DADADA.exe PID 804 wrote to memory of 1632 804 Itsg.exe DADADA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe"C:\Users\Admin\AppData\Local\Temp\14b4b5ec8401fca8783dacd24b368c25e3723de1bebad2f2589883f239e09176.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Itsg.exe"C:\Program Files (x86)\Itsg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DADADA.exe"C:\Users\Admin\AppData\Local\Temp\DADADA.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
C:\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
C:\Users\Admin\AppData\Local\Temp\DADADA.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
C:\Users\Admin\AppData\Local\Temp\DADADA.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
\Program Files (x86)\Itsg.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
\Users\Admin\AppData\Local\Temp\DADADA.exeFilesize
43KB
MD59f9d8782584d608e8bca3a722334f1fb
SHA181599471b01102a3ca4f9a111cac18d1584d3ea5
SHA2560fd50919876362e298f31955ccc9cd7875c944dcb99aa1ff5a45f9b6b848f0c1
SHA51294418cb4f98648e41566319ff31ce700775648a05d5660fe6529e4450ed4c4ea92a6574494d8cebc918241e59b69065da51d3908f37d7eb54cb3fc4f651ccffa
-
memory/804-61-0x00000000011B0000-0x00000000011C2000-memory.dmpFilesize
72KB
-
memory/804-58-0x0000000000000000-mapping.dmp
-
memory/900-54-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB
-
memory/1632-64-0x0000000000000000-mapping.dmp
-
memory/1632-67-0x0000000000EB0000-0x0000000000EC2000-memory.dmpFilesize
72KB