Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-08-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
66df4d837d9b6b60b845ef343b763bfb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
66df4d837d9b6b60b845ef343b763bfb.exe
Resource
win10v2004-20220812-en
General
-
Target
66df4d837d9b6b60b845ef343b763bfb.exe
-
Size
25KB
-
MD5
66df4d837d9b6b60b845ef343b763bfb
-
SHA1
f27a811445b649ff9a91da52152caf847ad38470
-
SHA256
ae1d5fd5d55bedc76554a13d0eee68ae8bb3e9af0cbf4fd3d1ae25e21bc1c1d3
-
SHA512
1f3258e69151f5fb0680ee02cc554d179092f00278dd54ab0dd75a987494ba75652d3c7f95925e5b25b95f0b4392663046d203b7fc58a2e54871a56899f2ff84
-
SSDEEP
768:svpUfE0bKP7eYkkrbiPs9Mvnv474hIScRj19dU2QW:QG9GP7eA2P5h0F19dU2QW
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
6.tcp.eu.ngrok.io:12072
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Dllhost.exeServer.exeServer.exepid process 1564 Dllhost.exe 1736 Server.exe 1524 Server.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1564 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe Token: 33 1564 Dllhost.exe Token: SeIncBasePriorityPrivilege 1564 Dllhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
66df4d837d9b6b60b845ef343b763bfb.exeDllhost.exetaskeng.exedescription pid process target process PID 1452 wrote to memory of 1564 1452 66df4d837d9b6b60b845ef343b763bfb.exe Dllhost.exe PID 1452 wrote to memory of 1564 1452 66df4d837d9b6b60b845ef343b763bfb.exe Dllhost.exe PID 1452 wrote to memory of 1564 1452 66df4d837d9b6b60b845ef343b763bfb.exe Dllhost.exe PID 1564 wrote to memory of 904 1564 Dllhost.exe schtasks.exe PID 1564 wrote to memory of 904 1564 Dllhost.exe schtasks.exe PID 1564 wrote to memory of 904 1564 Dllhost.exe schtasks.exe PID 408 wrote to memory of 1736 408 taskeng.exe Server.exe PID 408 wrote to memory of 1736 408 taskeng.exe Server.exe PID 408 wrote to memory of 1736 408 taskeng.exe Server.exe PID 408 wrote to memory of 1524 408 taskeng.exe Server.exe PID 408 wrote to memory of 1524 408 taskeng.exe Server.exe PID 408 wrote to memory of 1524 408 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66df4d837d9b6b60b845ef343b763bfb.exe"C:\Users\Admin\AppData\Local\Temp\66df4d837d9b6b60b845ef343b763bfb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {C03637ED-DA6C-4597-B68F-8563A7AA4945} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD566df4d837d9b6b60b845ef343b763bfb
SHA1f27a811445b649ff9a91da52152caf847ad38470
SHA256ae1d5fd5d55bedc76554a13d0eee68ae8bb3e9af0cbf4fd3d1ae25e21bc1c1d3
SHA5121f3258e69151f5fb0680ee02cc554d179092f00278dd54ab0dd75a987494ba75652d3c7f95925e5b25b95f0b4392663046d203b7fc58a2e54871a56899f2ff84
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD566df4d837d9b6b60b845ef343b763bfb
SHA1f27a811445b649ff9a91da52152caf847ad38470
SHA256ae1d5fd5d55bedc76554a13d0eee68ae8bb3e9af0cbf4fd3d1ae25e21bc1c1d3
SHA5121f3258e69151f5fb0680ee02cc554d179092f00278dd54ab0dd75a987494ba75652d3c7f95925e5b25b95f0b4392663046d203b7fc58a2e54871a56899f2ff84
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD566df4d837d9b6b60b845ef343b763bfb
SHA1f27a811445b649ff9a91da52152caf847ad38470
SHA256ae1d5fd5d55bedc76554a13d0eee68ae8bb3e9af0cbf4fd3d1ae25e21bc1c1d3
SHA5121f3258e69151f5fb0680ee02cc554d179092f00278dd54ab0dd75a987494ba75652d3c7f95925e5b25b95f0b4392663046d203b7fc58a2e54871a56899f2ff84
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
25KB
MD566df4d837d9b6b60b845ef343b763bfb
SHA1f27a811445b649ff9a91da52152caf847ad38470
SHA256ae1d5fd5d55bedc76554a13d0eee68ae8bb3e9af0cbf4fd3d1ae25e21bc1c1d3
SHA5121f3258e69151f5fb0680ee02cc554d179092f00278dd54ab0dd75a987494ba75652d3c7f95925e5b25b95f0b4392663046d203b7fc58a2e54871a56899f2ff84
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
25KB
MD566df4d837d9b6b60b845ef343b763bfb
SHA1f27a811445b649ff9a91da52152caf847ad38470
SHA256ae1d5fd5d55bedc76554a13d0eee68ae8bb3e9af0cbf4fd3d1ae25e21bc1c1d3
SHA5121f3258e69151f5fb0680ee02cc554d179092f00278dd54ab0dd75a987494ba75652d3c7f95925e5b25b95f0b4392663046d203b7fc58a2e54871a56899f2ff84
-
memory/904-61-0x0000000000000000-mapping.dmp
-
memory/1452-55-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB
-
memory/1452-56-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB
-
memory/1452-54-0x0000000000C10000-0x0000000000C18000-memory.dmpFilesize
32KB
-
memory/1524-66-0x0000000000000000-mapping.dmp
-
memory/1524-68-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/1564-60-0x0000000001340000-0x0000000001348000-memory.dmpFilesize
32KB
-
memory/1564-57-0x0000000000000000-mapping.dmp
-
memory/1736-65-0x0000000000AE0000-0x0000000000AE8000-memory.dmpFilesize
32KB
-
memory/1736-62-0x0000000000000000-mapping.dmp