Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe
Resource
win10v2004-20220414-en
General
-
Target
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe
-
Size
1.6MB
-
MD5
9aa5899b0cea4a5c982b8f2ffd9c1a76
-
SHA1
00dd99db2fe25005e097ff4babefc7fb4a55041b
-
SHA256
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c
-
SHA512
12ca0a7eebe9ec89864f68367fae2a3bb0159cdc97132ef4defc3f99186cdd21fd1325d30d8584fb4678e4467147dda8a2563cbf52f15b6ddc8a73e73840c58b
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
0.tcp.ngrok.io:14031
WindowsUpdate
-
reg_key
WindowsUpdate
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exesvchost.exepid process 1744 Server.exe 1408 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exeServer.exepid process 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe 1744 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1408 svchost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe Token: 33 1408 svchost.exe Token: SeIncBasePriorityPrivilege 1408 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exeServer.exedescription pid process target process PID 1080 wrote to memory of 1744 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 1080 wrote to memory of 1744 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 1080 wrote to memory of 1744 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 1080 wrote to memory of 1744 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 1080 wrote to memory of 960 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 1080 wrote to memory of 960 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 1080 wrote to memory of 960 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 1080 wrote to memory of 960 1080 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 1744 wrote to memory of 1408 1744 Server.exe svchost.exe PID 1744 wrote to memory of 1408 1744 Server.exe svchost.exe PID 1744 wrote to memory of 1408 1744 Server.exe svchost.exe PID 1744 wrote to memory of 1408 1744 Server.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe"C:\Users\Admin\AppData\Local\Temp\d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe" >> NUL2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
memory/960-58-0x0000000000000000-mapping.dmp
-
memory/1080-54-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/1408-63-0x0000000000000000-mapping.dmp
-
memory/1408-66-0x0000000000DD0000-0x0000000000DE2000-memory.dmpFilesize
72KB
-
memory/1744-56-0x0000000000000000-mapping.dmp
-
memory/1744-60-0x00000000013E0000-0x00000000013F2000-memory.dmpFilesize
72KB