Analysis
-
max time kernel
1800s -
max time network
1624s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-07-2022 14:04
General
-
Target
Avatar 2 (2022).exe
-
Size
37KB
-
MD5
4291ac32cc90795fee4a449b4ce933de
-
SHA1
a598f8f511977041fb7d0454495100bd122a1d80
-
SHA256
9262834e981a283001ee85c5d4c638bdefccb48650cc73e6cdb42dcd7d03debf
-
SHA512
bc6fabebf55b25d0a0857752586c3cb573ee6ac91773759613c3e6174f3439f25be462604b6c8adc7bfc72a40d85659843ce87b5ef55f05b60222ee2bada0eb4
Malware Config
Extracted
njrat
im523
Лошок
194.71.126.120:17954
13d65a76848c880b980676c6c1cc6341
-
reg_key
13d65a76848c880b980676c6c1cc6341
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1268 Dllhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13d65a76848c880b980676c6c1cc6341.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13d65a76848c880b980676c6c1cc6341.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\13d65a76848c880b980676c6c1cc6341 = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\13d65a76848c880b980676c6c1cc6341 = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
Avatar 2 (2022).exeDllhost.exedescription ioc process File created C:\Windows\Dllhost.exe Avatar 2 (2022).exe File opened for modification C:\Windows\Dllhost.exe Avatar 2 (2022).exe File opened for modification C:\Windows\Dllhost.exe Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Dllhost.exepid process 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe 1268 Dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1268 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe Token: SeIncBasePriorityPrivilege 1268 Dllhost.exe Token: 33 1268 Dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Avatar 2 (2022).exeDllhost.exedescription pid process target process PID 1836 wrote to memory of 1268 1836 Avatar 2 (2022).exe Dllhost.exe PID 1836 wrote to memory of 1268 1836 Avatar 2 (2022).exe Dllhost.exe PID 1836 wrote to memory of 1268 1836 Avatar 2 (2022).exe Dllhost.exe PID 1836 wrote to memory of 1268 1836 Avatar 2 (2022).exe Dllhost.exe PID 1268 wrote to memory of 2040 1268 Dllhost.exe netsh.exe PID 1268 wrote to memory of 2040 1268 Dllhost.exe netsh.exe PID 1268 wrote to memory of 2040 1268 Dllhost.exe netsh.exe PID 1268 wrote to memory of 2040 1268 Dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Avatar 2 (2022).exe"C:\Users\Admin\AppData\Local\Temp\Avatar 2 (2022).exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Dllhost.exe"C:\Windows\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Dllhost.exe" "Dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Dllhost.exeFilesize
37KB
MD54291ac32cc90795fee4a449b4ce933de
SHA1a598f8f511977041fb7d0454495100bd122a1d80
SHA2569262834e981a283001ee85c5d4c638bdefccb48650cc73e6cdb42dcd7d03debf
SHA512bc6fabebf55b25d0a0857752586c3cb573ee6ac91773759613c3e6174f3439f25be462604b6c8adc7bfc72a40d85659843ce87b5ef55f05b60222ee2bada0eb4
-
C:\Windows\Dllhost.exeFilesize
37KB
MD54291ac32cc90795fee4a449b4ce933de
SHA1a598f8f511977041fb7d0454495100bd122a1d80
SHA2569262834e981a283001ee85c5d4c638bdefccb48650cc73e6cdb42dcd7d03debf
SHA512bc6fabebf55b25d0a0857752586c3cb573ee6ac91773759613c3e6174f3439f25be462604b6c8adc7bfc72a40d85659843ce87b5ef55f05b60222ee2bada0eb4
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1268-61-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/1268-64-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/1836-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/1836-55-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/1836-60-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/2040-62-0x0000000000000000-mapping.dmp