Analysis
-
max time kernel
200s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 15:29
Static task
static1
General
-
Target
Server.exe
-
Size
25KB
-
MD5
4a2e54e74503ddc6005c8f72e025943e
-
SHA1
aaf965085024318dce3b9ffd6d96b3326d41b1e9
-
SHA256
94fac7a812c6faf41727786c4e31c0375574fcaed192673cf058c5a7bf8194a0
-
SHA512
cb4fd3640e2f61f963309b0c773264cb60cd880d4a5005820c6317cbcf1e5ac6a99fb5beb14558bba8c401d24666fe6c0a2ea6751a1c7726a4934bde42e31701
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
gay
4.tcp.eu.ngrok.io:17260
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 852 Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
taskmgr.exepid process 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 316 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 316 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Server.exedescription pid process target process PID 964 wrote to memory of 852 964 Server.exe Dllhost.exe PID 964 wrote to memory of 852 964 Server.exe Dllhost.exe PID 964 wrote to memory of 852 964 Server.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
25KB
MD54a2e54e74503ddc6005c8f72e025943e
SHA1aaf965085024318dce3b9ffd6d96b3326d41b1e9
SHA25694fac7a812c6faf41727786c4e31c0375574fcaed192673cf058c5a7bf8194a0
SHA512cb4fd3640e2f61f963309b0c773264cb60cd880d4a5005820c6317cbcf1e5ac6a99fb5beb14558bba8c401d24666fe6c0a2ea6751a1c7726a4934bde42e31701
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
25KB
MD54a2e54e74503ddc6005c8f72e025943e
SHA1aaf965085024318dce3b9ffd6d96b3326d41b1e9
SHA25694fac7a812c6faf41727786c4e31c0375574fcaed192673cf058c5a7bf8194a0
SHA512cb4fd3640e2f61f963309b0c773264cb60cd880d4a5005820c6317cbcf1e5ac6a99fb5beb14558bba8c401d24666fe6c0a2ea6751a1c7726a4934bde42e31701
-
memory/316-62-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/316-63-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/852-57-0x0000000000000000-mapping.dmp
-
memory/852-60-0x0000000000290000-0x0000000000298000-memory.dmpFilesize
32KB
-
memory/964-54-0x0000000000FB0000-0x0000000000FB8000-memory.dmpFilesize
32KB
-
memory/964-55-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/964-56-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmpFilesize
8KB