Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 07:51
Behavioral task
behavioral1
Sample
0ca62d00d3558849a26a7f4d11b4cd21.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ca62d00d3558849a26a7f4d11b4cd21.exe
Resource
win10v2004-20220812-en
General
-
Target
0ca62d00d3558849a26a7f4d11b4cd21.exe
-
Size
43KB
-
MD5
0ca62d00d3558849a26a7f4d11b4cd21
-
SHA1
4c6c0df4fd0453b824deaf57a576f8318c3ba604
-
SHA256
5de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
-
SHA512
0e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
SSDEEP
384:UZylSg98NaIyrLP73cWESES6ik7azsIij+ZsNO3PlpJKkkjh/TzF7pWnT/greT0k:iGywFrz73cP7QuXQ/ou/+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
5.tcp.eu.ngrok.io:19964
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 4928 Dllhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ca62d00d3558849a26a7f4d11b4cd21.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0ca62d00d3558849a26a7f4d11b4cd21.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
0ca62d00d3558849a26a7f4d11b4cd21.exeDllhost.exepid process 2044 0ca62d00d3558849a26a7f4d11b4cd21.exe 4928 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe Token: 33 4928 Dllhost.exe Token: SeIncBasePriorityPrivilege 4928 Dllhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0ca62d00d3558849a26a7f4d11b4cd21.exedescription pid process target process PID 2044 wrote to memory of 4928 2044 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe PID 2044 wrote to memory of 4928 2044 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe PID 2044 wrote to memory of 4928 2044 0ca62d00d3558849a26a7f4d11b4cd21.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca62d00d3558849a26a7f4d11b4cd21.exe"C:\Users\Admin\AppData\Local\Temp\0ca62d00d3558849a26a7f4d11b4cd21.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD50ca62d00d3558849a26a7f4d11b4cd21
SHA14c6c0df4fd0453b824deaf57a576f8318c3ba604
SHA2565de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
SHA5120e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exeFilesize
43KB
MD50ca62d00d3558849a26a7f4d11b4cd21
SHA14c6c0df4fd0453b824deaf57a576f8318c3ba604
SHA2565de5c7adc7d5ee1854876ddc80d2c8abc36628595327d9b45ac2e55802655d1c
SHA5120e7b8752eeacdb35125ee309797c8e339c1ae24931ef66cbe389054efa39b00b0f0ca4f8424c6aa6c746b1d7ebb2832adc8de086cf8f292140a250e14fae48bd
-
memory/2044-132-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB
-
memory/2044-133-0x00000000056C0000-0x000000000575C000-memory.dmpFilesize
624KB
-
memory/2044-134-0x0000000005FE0000-0x0000000006584000-memory.dmpFilesize
5.6MB
-
memory/2044-135-0x0000000005AD0000-0x0000000005B62000-memory.dmpFilesize
584KB
-
memory/4928-136-0x0000000000000000-mapping.dmp
-
memory/4928-139-0x0000000004FD0000-0x0000000004FDA000-memory.dmpFilesize
40KB
-
memory/4928-140-0x0000000005230000-0x0000000005296000-memory.dmpFilesize
408KB