Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-08-2022 00:37
Behavioral task
behavioral1
Sample
829e460d99233ba1d31aaa499dba243e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
829e460d99233ba1d31aaa499dba243e.exe
Resource
win10v2004-20220812-en
General
-
Target
829e460d99233ba1d31aaa499dba243e.exe
-
Size
43KB
-
MD5
829e460d99233ba1d31aaa499dba243e
-
SHA1
21b122e0f2646f5f10acef7e46690cb2c180206e
-
SHA256
0b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
-
SHA512
f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
SSDEEP
384:kZyTFv1mmkuHQUyz7LFFhSiSEM1XdP9fQzAIij+ZsNO3PlpJKkkjh/TzF7pWnJ/B:SgvkgwhzvDhVa1B9muXQ/oI3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
0.tcp.ngrok.io:17590
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 560 Dllhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
829e460d99233ba1d31aaa499dba243e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation 829e460d99233ba1d31aaa499dba243e.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
829e460d99233ba1d31aaa499dba243e.exeDllhost.exepid process 396 829e460d99233ba1d31aaa499dba243e.exe 560 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe Token: 33 560 Dllhost.exe Token: SeIncBasePriorityPrivilege 560 Dllhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
829e460d99233ba1d31aaa499dba243e.exedescription pid process target process PID 396 wrote to memory of 560 396 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe PID 396 wrote to memory of 560 396 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe PID 396 wrote to memory of 560 396 829e460d99233ba1d31aaa499dba243e.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\829e460d99233ba1d31aaa499dba243e.exe"C:\Users\Admin\AppData\Local\Temp\829e460d99233ba1d31aaa499dba243e.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dllhost.exe"C:\ProgramData\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dllhost.exeFilesize
43KB
MD5829e460d99233ba1d31aaa499dba243e
SHA121b122e0f2646f5f10acef7e46690cb2c180206e
SHA2560b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
SHA512f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
C:\ProgramData\Dllhost.exeFilesize
43KB
MD5829e460d99233ba1d31aaa499dba243e
SHA121b122e0f2646f5f10acef7e46690cb2c180206e
SHA2560b0bb67a8a1784accf4b11b979b8e3f7738b9c13977042f5901f741ea0dd2b33
SHA512f7a6e068bd5e0c41b6238572b08ffdf951ab573f7e7f182fa9c04e3c08915f43faaa0ffca6b6f4daae8b2cb0033cd2aaf8ec864ec96a0d8b13726d47047d7ced
-
memory/396-135-0x0000000000B20000-0x0000000000B32000-memory.dmpFilesize
72KB
-
memory/396-136-0x0000000005480000-0x000000000551C000-memory.dmpFilesize
624KB
-
memory/396-137-0x0000000005D00000-0x00000000062A4000-memory.dmpFilesize
5.6MB
-
memory/396-138-0x00000000058C0000-0x0000000005952000-memory.dmpFilesize
584KB
-
memory/560-139-0x0000000000000000-mapping.dmp
-
memory/560-142-0x0000000005180000-0x000000000518A000-memory.dmpFilesize
40KB