Analysis
-
max time kernel
1802s -
max time network
1809s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 11:07
General
-
Target
Server.exe
-
Size
37KB
-
MD5
61045a2a1b6d1f802ad27c756cb3948d
-
SHA1
5d701b8124fe530f4e9e7dcc03df110b61be1754
-
SHA256
02e08a42d8d05b95e82b8905ea78e24905b5f383e8085e73e5ec6bd6bbb5deb4
-
SHA512
3e81d942cd968d8a32b989a953f82ee8653fffbe849535399f686dd32d646cb6e3a9186c52d960a29cbff03e1596ebcd7d38e5889c59c7fdfd74e8176158a509
Malware Config
Extracted
njrat
im523
Лошок
194.71.126.120:17954
13d65a76848c880b980676c6c1cc6341
-
reg_key
13d65a76848c880b980676c6c1cc6341
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 800 Dllhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13d65a76848c880b980676c6c1cc6341.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13d65a76848c880b980676c6c1cc6341.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\13d65a76848c880b980676c6c1cc6341 = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\13d65a76848c880b980676c6c1cc6341 = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
Server.exeDllhost.exedescription ioc process File created C:\Windows\Dllhost.exe Server.exe File opened for modification C:\Windows\Dllhost.exe Server.exe File opened for modification C:\Windows\Dllhost.exe Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Dllhost.exepid process 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe 800 Dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 800 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe Token: SeIncBasePriorityPrivilege 800 Dllhost.exe Token: 33 800 Dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Server.exeDllhost.exedescription pid process target process PID 1084 wrote to memory of 800 1084 Server.exe Dllhost.exe PID 1084 wrote to memory of 800 1084 Server.exe Dllhost.exe PID 1084 wrote to memory of 800 1084 Server.exe Dllhost.exe PID 1084 wrote to memory of 800 1084 Server.exe Dllhost.exe PID 800 wrote to memory of 1360 800 Dllhost.exe netsh.exe PID 800 wrote to memory of 1360 800 Dllhost.exe netsh.exe PID 800 wrote to memory of 1360 800 Dllhost.exe netsh.exe PID 800 wrote to memory of 1360 800 Dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Dllhost.exe"C:\Windows\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Dllhost.exe" "Dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Dllhost.exeFilesize
37KB
MD561045a2a1b6d1f802ad27c756cb3948d
SHA15d701b8124fe530f4e9e7dcc03df110b61be1754
SHA25602e08a42d8d05b95e82b8905ea78e24905b5f383e8085e73e5ec6bd6bbb5deb4
SHA5123e81d942cd968d8a32b989a953f82ee8653fffbe849535399f686dd32d646cb6e3a9186c52d960a29cbff03e1596ebcd7d38e5889c59c7fdfd74e8176158a509
-
C:\Windows\Dllhost.exeFilesize
37KB
MD561045a2a1b6d1f802ad27c756cb3948d
SHA15d701b8124fe530f4e9e7dcc03df110b61be1754
SHA25602e08a42d8d05b95e82b8905ea78e24905b5f383e8085e73e5ec6bd6bbb5deb4
SHA5123e81d942cd968d8a32b989a953f82ee8653fffbe849535399f686dd32d646cb6e3a9186c52d960a29cbff03e1596ebcd7d38e5889c59c7fdfd74e8176158a509
-
memory/800-56-0x0000000000000000-mapping.dmp
-
memory/800-61-0x0000000074410000-0x00000000749BB000-memory.dmpFilesize
5.7MB
-
memory/800-62-0x0000000074410000-0x00000000749BB000-memory.dmpFilesize
5.7MB
-
memory/1084-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1084-55-0x0000000074410000-0x00000000749BB000-memory.dmpFilesize
5.7MB
-
memory/1084-60-0x0000000074410000-0x00000000749BB000-memory.dmpFilesize
5.7MB
-
memory/1360-63-0x0000000000000000-mapping.dmp