Analysis
-
max time kernel
149s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 19:03
Static task
static1
Behavioral task
behavioral1
Sample
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe
Resource
win10v2004-20220414-en
General
-
Target
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe
-
Size
534KB
-
MD5
d40ac2e569fa68fa0bb8a4174cade913
-
SHA1
c5671c34df1366dede12175e1f4764810a50f78f
-
SHA256
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
-
SHA512
45ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
Malware Config
Extracted
njrat
0.6.4
Zumbiee
Contahacker.ddns.net:1177
c2372ce2aec065ce2621c091aa8fb2a0
-
reg_key
c2372ce2aec065ce2621c091aa8fb2a0
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 952 dllhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2372ce2aec065ce2621c091aa8fb2a0.exe dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2372ce2aec065ce2621c091aa8fb2a0.exe dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exepid process 1884 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\c2372ce2aec065ce2621c091aa8fb2a0 = "\"C:\\Users\\Admin\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c2372ce2aec065ce2621c091aa8fb2a0 = "\"C:\\Users\\Admin\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
dllhost.exepid process 952 dllhost.exe 952 dllhost.exe 952 dllhost.exe 952 dllhost.exe 952 dllhost.exe 952 dllhost.exe 952 dllhost.exe 952 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 952 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exedllhost.exedescription pid process target process PID 1884 wrote to memory of 952 1884 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 1884 wrote to memory of 952 1884 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 1884 wrote to memory of 952 1884 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 1884 wrote to memory of 952 1884 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 952 wrote to memory of 1240 952 dllhost.exe netsh.exe PID 952 wrote to memory of 1240 952 dllhost.exe netsh.exe PID 952 wrote to memory of 1240 952 dllhost.exe netsh.exe PID 952 wrote to memory of 1240 952 dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe"C:\Users\Admin\AppData\Local\Temp\c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\dllhost.exe"C:\Users\Admin\dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\dllhost.exe" "dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\dllhost.exeFilesize
534KB
MD5d40ac2e569fa68fa0bb8a4174cade913
SHA1c5671c34df1366dede12175e1f4764810a50f78f
SHA256c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
SHA51245ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
-
C:\Users\Admin\dllhost.exeFilesize
534KB
MD5d40ac2e569fa68fa0bb8a4174cade913
SHA1c5671c34df1366dede12175e1f4764810a50f78f
SHA256c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
SHA51245ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
-
\Users\Admin\dllhost.exeFilesize
534KB
MD5d40ac2e569fa68fa0bb8a4174cade913
SHA1c5671c34df1366dede12175e1f4764810a50f78f
SHA256c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
SHA51245ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
-
memory/952-57-0x0000000000000000-mapping.dmp
-
memory/952-60-0x00000000002D0000-0x000000000035C000-memory.dmpFilesize
560KB
-
memory/1240-61-0x0000000000000000-mapping.dmp
-
memory/1240-62-0x00000000759E1000-0x00000000759E3000-memory.dmpFilesize
8KB
-
memory/1884-54-0x0000000000110000-0x000000000019C000-memory.dmpFilesize
560KB
-
memory/1884-55-0x0000000000320000-0x000000000032E000-memory.dmpFilesize
56KB