Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 07:51
Behavioral task
behavioral1
Sample
0ca62d00d3558849a26a7f4d11b4cd21.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ca62d00d3558849a26a7f4d11b4cd21.exe
Resource
win10v2004-20220812-en
General
-
Target
0ca62d00d3558849a26a7f4d11b4cd21.exe
-
Size
43KB
-
MD5
0ca62d00d3558849a26a7f4d11b4cd21
-
SHA1
4c6c0df4fd0453b824deaf57a576f8318c3ba604
-
SHA256
5de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
-
SHA512
0e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
SSDEEP
384:UZylSg98NaIyrLP73cWESES6ik7azsIij+ZsNO3PlpJKkkjh/TzF7pWnT/greT0k:iGywFrz73cP7QuXQ/ou/+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
5.tcp.eu.ngrok.io:19964
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 2020 Dllhost.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
0ca62d00d3558849a26a7f4d11b4cd21.exepid process 1884 0ca62d00d3558849a26a7f4d11b4cd21.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 2020 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe Token: 33 2020 Dllhost.exe Token: SeIncBasePriorityPrivilege 2020 Dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0ca62d00d3558849a26a7f4d11b4cd21.exedescription pid process target process PID 1884 wrote to memory of 2020 1884 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe PID 1884 wrote to memory of 2020 1884 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe PID 1884 wrote to memory of 2020 1884 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe PID 1884 wrote to memory of 2020 1884 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca62d00d3558849a26a7f4d11b4cd21.exe"C:\Users\Admin\AppData\Local\Temp\0ca62d00d3558849a26a7f4d11b4cd21.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD50ca62d00d3558849a26a7f4d11b4cd21
SHA14c6c0df4fd0453b824deaf57a576f8318c3ba604
SHA2565de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
SHA5120e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD50ca62d00d3558849a26a7f4d11b4cd21
SHA14c6c0df4fd0453b824deaf57a576f8318c3ba604
SHA2565de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
SHA5120e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD50ca62d00d3558849a26a7f4d11b4cd21
SHA14c6c0df4fd0453b824deaf57a576f8318c3ba604
SHA2565de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
SHA5120e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
memory/1884-54-0x0000000000B60000-0x0000000000B72000-memory.dmpFilesize
72KB
-
memory/1884-55-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/2020-57-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB