Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe
Resource
win10v2004-20220414-en
General
-
Target
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe
-
Size
1.6MB
-
MD5
9aa5899b0cea4a5c982b8f2ffd9c1a76
-
SHA1
00dd99db2fe25005e097ff4babefc7fb4a55041b
-
SHA256
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c
-
SHA512
12ca0a7eebe9ec89864f68367fae2a3bb0159cdc97132ef4defc3f99186cdd21fd1325d30d8584fb4678e4467147dda8a2563cbf52f15b6ddc8a73e73840c58b
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
0.tcp.ngrok.io:14031
WindowsUpdate
-
reg_key
WindowsUpdate
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exesvchost.exepid process 1824 Server.exe 2772 svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Server.exesvchost.exepid process 1824 Server.exe 2772 svchost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe Token: 33 2772 svchost.exe Token: SeIncBasePriorityPrivilege 2772 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exeServer.exedescription pid process target process PID 3880 wrote to memory of 1824 3880 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 3880 wrote to memory of 1824 3880 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 3880 wrote to memory of 1824 3880 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe Server.exe PID 3880 wrote to memory of 1288 3880 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 3880 wrote to memory of 1288 3880 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 3880 wrote to memory of 1288 3880 d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe cmd.exe PID 1824 wrote to memory of 2772 1824 Server.exe svchost.exe PID 1824 wrote to memory of 2772 1824 Server.exe svchost.exe PID 1824 wrote to memory of 2772 1824 Server.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe"C:\Users\Admin\AppData\Local\Temp\d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d71fa2def00022ad0a2d124bda3d44a5482ef1f7dad6894839863dbe6878208c.exe" >> NUL2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD54dbfe99e4a14f3d876d9140b8de42e9d
SHA1acc2b1d22d454dafd02b9bde4620ad4df2018160
SHA256620bb74f3fbc78dd3f4a8ba80994a0e24b4f540ed4f06aabebe8a9e63205fc46
SHA51265de918b3045ff3bbb7fd8c8e26911014ea672f5c62e41c0505a715745248fd3ed125dabee2031a6cfb8d86b671a50f97d4c5f978054d7379938f6122ced277f
-
memory/1288-133-0x0000000000000000-mapping.dmp
-
memory/1824-130-0x0000000000000000-mapping.dmp
-
memory/1824-134-0x00000000000B0000-0x00000000000C2000-memory.dmpFilesize
72KB
-
memory/1824-135-0x00000000048F0000-0x000000000498C000-memory.dmpFilesize
624KB
-
memory/1824-136-0x00000000051C0000-0x0000000005764000-memory.dmpFilesize
5.6MB
-
memory/1824-137-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/2772-138-0x0000000000000000-mapping.dmp
-
memory/2772-141-0x0000000005390000-0x000000000539A000-memory.dmpFilesize
40KB