Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:41
Behavioral task
behavioral1
Sample
04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe
Resource
win10v2004-20220414-en
General
-
Target
04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe
-
Size
43KB
-
MD5
2c7e2f0618c5e97da339818408f8f280
-
SHA1
5e6ea81e291b81bd7281e7c7a27812ab101af1e2
-
SHA256
04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
-
SHA512
50dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
hack
213.159.212.162:8472
DriverStartup
-
reg_key
DriverStartup
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
wininit.exeServer.exeServer.exepid process 1480 wininit.exe 808 Server.exe 328 Server.exe -
Drops startup file 2 IoCs
Processes:
wininit.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChromeUpdate.exe wininit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChromeUpdate.exe wininit.exe -
Loads dropped DLL 1 IoCs
Processes:
04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exepid process 240 04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wininit.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverStartup = "\"C:\\Users\\Admin\\AppData\\Roaming\\wininit.exe\" .." wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DriverStartup = "\"C:\\Users\\Admin\\AppData\\Roaming\\wininit.exe\" .." wininit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wininit.exepid process 1480 wininit.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
wininit.exedescription pid process Token: SeDebugPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe Token: 33 1480 wininit.exe Token: SeIncBasePriorityPrivilege 1480 wininit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exewininit.exetaskeng.exedescription pid process target process PID 240 wrote to memory of 1480 240 04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe wininit.exe PID 240 wrote to memory of 1480 240 04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe wininit.exe PID 240 wrote to memory of 1480 240 04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe wininit.exe PID 240 wrote to memory of 1480 240 04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe wininit.exe PID 1480 wrote to memory of 1308 1480 wininit.exe schtasks.exe PID 1480 wrote to memory of 1308 1480 wininit.exe schtasks.exe PID 1480 wrote to memory of 1308 1480 wininit.exe schtasks.exe PID 1480 wrote to memory of 1308 1480 wininit.exe schtasks.exe PID 1728 wrote to memory of 808 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 808 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 808 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 808 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 328 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 328 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 328 1728 taskeng.exe Server.exe PID 1728 wrote to memory of 328 1728 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe"C:\Users\Admin\AppData\Local\Temp\04ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {9D48976A-E611-41C1-AAE1-A184A540F840} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD52c7e2f0618c5e97da339818408f8f280
SHA15e6ea81e291b81bd7281e7c7a27812ab101af1e2
SHA25604ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
SHA51250dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD52c7e2f0618c5e97da339818408f8f280
SHA15e6ea81e291b81bd7281e7c7a27812ab101af1e2
SHA25604ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
SHA51250dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD52c7e2f0618c5e97da339818408f8f280
SHA15e6ea81e291b81bd7281e7c7a27812ab101af1e2
SHA25604ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
SHA51250dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
-
C:\Users\Admin\AppData\Roaming\wininit.exeFilesize
43KB
MD52c7e2f0618c5e97da339818408f8f280
SHA15e6ea81e291b81bd7281e7c7a27812ab101af1e2
SHA25604ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
SHA51250dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
-
C:\Users\Admin\AppData\Roaming\wininit.exeFilesize
43KB
MD52c7e2f0618c5e97da339818408f8f280
SHA15e6ea81e291b81bd7281e7c7a27812ab101af1e2
SHA25604ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
SHA51250dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
-
\Users\Admin\AppData\Roaming\wininit.exeFilesize
43KB
MD52c7e2f0618c5e97da339818408f8f280
SHA15e6ea81e291b81bd7281e7c7a27812ab101af1e2
SHA25604ebda8dad22a5e9cfafc51dcccba313a2b8d11743da52bb114c1bfc165a0c01
SHA51250dedbf570f9b9933623eac8b2e762e082cb60c22a3c629fdada9daa5367cd825b4aaf74d8f1afa0ee6f7c4cfba71ac15204c2b1636de5cc7a36a85025cfcc5a
-
memory/240-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/328-71-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/328-68-0x0000000000000000-mapping.dmp
-
memory/808-64-0x0000000000000000-mapping.dmp
-
memory/808-67-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1308-62-0x0000000000000000-mapping.dmp
-
memory/1480-57-0x0000000000000000-mapping.dmp
-
memory/1480-61-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB