Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-09-2022 01:40
Behavioral task
behavioral1
Sample
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe
Resource
win10v2004-20220812-en
General
-
Target
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe
-
Size
72KB
-
MD5
34c8585f3489be745e509e06b311c855
-
SHA1
abc0dad9b4265c09a879b8770a380c075d69931d
-
SHA256
8e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
-
SHA512
479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
SSDEEP
384:TZyYL2adsbhKIyK55JoWgEmbr2z8Iij+ZsNO3PlpJKkkjh/TzF7pWnv1greT0pqH:dxNiwFKTJH2UuXQ/o61+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
7.tcp.eu.ngrok.io:13225
WindowsEnginee
-
reg_key
WindowsEnginee
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
dllhost.exeServer.exeServer.exepid process 1616 dllhost.exe 1328 Server.exe 1476 Server.exe -
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEnginee.exe dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEnginee.exe dllhost.exe -
Loads dropped DLL 2 IoCs
Processes:
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exepid process 2000 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe 2000 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsEnginee = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsEnginee = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 1616 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe Token: 33 1616 dllhost.exe Token: SeIncBasePriorityPrivilege 1616 dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exedllhost.exetaskeng.exedescription pid process target process PID 2000 wrote to memory of 1616 2000 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 2000 wrote to memory of 1616 2000 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 2000 wrote to memory of 1616 2000 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 2000 wrote to memory of 1616 2000 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 1616 wrote to memory of 948 1616 dllhost.exe schtasks.exe PID 1616 wrote to memory of 948 1616 dllhost.exe schtasks.exe PID 1616 wrote to memory of 948 1616 dllhost.exe schtasks.exe PID 1616 wrote to memory of 948 1616 dllhost.exe schtasks.exe PID 1100 wrote to memory of 1328 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1328 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1328 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1328 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1476 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1476 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1476 1100 taskeng.exe Server.exe PID 1100 wrote to memory of 1476 1100 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {9E87B44C-0ABA-467D-83A4-AE3A6F51664B} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
\Users\Admin\AppData\Roaming\dllhost.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
\Users\Admin\AppData\Roaming\dllhost.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
memory/948-63-0x0000000000000000-mapping.dmp
-
memory/1328-65-0x0000000000000000-mapping.dmp
-
memory/1328-67-0x0000000001050000-0x0000000001062000-memory.dmpFilesize
72KB
-
memory/1476-68-0x0000000000000000-mapping.dmp
-
memory/1616-58-0x0000000000000000-mapping.dmp
-
memory/1616-61-0x0000000000D90000-0x0000000000DA2000-memory.dmpFilesize
72KB
-
memory/2000-54-0x0000000000920000-0x0000000000932000-memory.dmpFilesize
72KB
-
memory/2000-55-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB