Analysis
-
max time kernel
152s -
max time network
206s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-08-2022 00:37
Behavioral task
behavioral1
Sample
829e460d99233ba1d31aaa499dba243e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
829e460d99233ba1d31aaa499dba243e.exe
Resource
win10v2004-20220812-en
General
-
Target
829e460d99233ba1d31aaa499dba243e.exe
-
Size
43KB
-
MD5
829e460d99233ba1d31aaa499dba243e
-
SHA1
21b122e0f2646f5f10acef7e46690cb2c180206e
-
SHA256
0b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
-
SHA512
f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
SSDEEP
384:kZyTFv1mmkuHQUyz7LFFhSiSEM1XdP9fQzAIij+ZsNO3PlpJKkkjh/TzF7pWnJ/B:SgvkgwhzvDhVa1B9muXQ/oI3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
0.tcp.ngrok.io:17590
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1692 Dllhost.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
829e460d99233ba1d31aaa499dba243e.exepid process 1980 829e460d99233ba1d31aaa499dba243e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1692 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe Token: 33 1692 Dllhost.exe Token: SeIncBasePriorityPrivilege 1692 Dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
829e460d99233ba1d31aaa499dba243e.exedescription pid process target process PID 1980 wrote to memory of 1692 1980 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe PID 1980 wrote to memory of 1692 1980 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe PID 1980 wrote to memory of 1692 1980 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe PID 1980 wrote to memory of 1692 1980 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\829e460d99233ba1d31aaa499dba243e.exe"C:\Users\Admin\AppData\Local\Temp\829e460d99233ba1d31aaa499dba243e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dllhost.exe"C:\ProgramData\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dllhost.exeFilesize
43KB
MD5829e460d99233ba1d31aaa499dba243e
SHA121b122e0f2646f5f10acef7e46690cb2c180206e
SHA2560b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
SHA512f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
C:\ProgramData\Dllhost.exeFilesize
43KB
MD5829e460d99233ba1d31aaa499dba243e
SHA121b122e0f2646f5f10acef7e46690cb2c180206e
SHA2560b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
SHA512f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
\ProgramData\Dllhost.exeFilesize
43KB
MD5829e460d99233ba1d31aaa499dba243e
SHA121b122e0f2646f5f10acef7e46690cb2c180206e
SHA2560b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
SHA512f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
memory/1692-57-0x0000000000000000-mapping.dmp
-
memory/1692-60-0x0000000000F80000-0x0000000000F92000-memory.dmpFilesize
72KB
-
memory/1980-54-0x0000000001130000-0x0000000001142000-memory.dmpFilesize
72KB
-
memory/1980-55-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB