Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2022 01:40
Behavioral task
behavioral1
Sample
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe
Resource
win10v2004-20220812-en
General
-
Target
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe
-
Size
72KB
-
MD5
34c8585f3489be745e509e06b311c855
-
SHA1
abc0dad9b4265c09a879b8770a380c075d69931d
-
SHA256
8e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
-
SHA512
479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
SSDEEP
384:TZyYL2adsbhKIyK55JoWgEmbr2z8Iij+ZsNO3PlpJKkkjh/TzF7pWnv1greT0pqH:dxNiwFKTJH2UuXQ/o61+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
7.tcp.eu.ngrok.io:13225
WindowsEnginee
-
reg_key
WindowsEnginee
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
dllhost.exeServer.exeServer.exepid process 3700 dllhost.exe 3520 Server.exe 3244 Server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe -
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEnginee.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEnginee.exe dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsEnginee = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsEnginee = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exedllhost.exepid process 4028 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe 3700 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe Token: 33 3700 dllhost.exe Token: SeIncBasePriorityPrivilege 3700 dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1836-55-0x00000000003C0000-0x00000000003D2000-memory.exedllhost.exedescription pid process target process PID 4028 wrote to memory of 3700 4028 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 4028 wrote to memory of 3700 4028 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 4028 wrote to memory of 3700 4028 1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe dllhost.exe PID 3700 wrote to memory of 2132 3700 dllhost.exe schtasks.exe PID 3700 wrote to memory of 2132 3700 dllhost.exe schtasks.exe PID 3700 wrote to memory of 2132 3700 dllhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1836-55-0x00000000003C0000-0x00000000003D2000-memory.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.logFilesize
507B
MD525d1b50e7c0d451f3d850eb54d27ca05
SHA1a238807715c70a335f54e80d4855644b21a9e870
SHA256650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA5124223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
72KB
MD534c8585f3489be745e509e06b311c855
SHA1abc0dad9b4265c09a879b8770a380c075d69931d
SHA2568e4232565602a9a9e2c339a289508dfc54acab3b87ef736a54d0b5f4611bac4e
SHA512479be6c055b1b00b4b4d7a4e3bcdf988b0f1816241fa2486cddc2a1c03a644c478b517a5f5c0d5bfba777cb1a86231a324fe742abe2a2a7a25c9581ce442b967
-
memory/2132-139-0x0000000000000000-mapping.dmp
-
memory/3700-141-0x0000000005AC0000-0x0000000005B26000-memory.dmpFilesize
408KB
-
memory/3700-140-0x0000000005870000-0x000000000587A000-memory.dmpFilesize
40KB
-
memory/3700-136-0x0000000000000000-mapping.dmp
-
memory/4028-132-0x0000000000BA0000-0x0000000000BB2000-memory.dmpFilesize
72KB
-
memory/4028-135-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/4028-134-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/4028-133-0x00000000054F0000-0x000000000558C000-memory.dmpFilesize
624KB