Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 20:33
Behavioral task
behavioral1
Sample
4ff6f79a49a97dc667f24ba8cda3a576.exe
Resource
win7-20220901-en
General
-
Target
4ff6f79a49a97dc667f24ba8cda3a576.exe
-
Size
43KB
-
MD5
4ff6f79a49a97dc667f24ba8cda3a576
-
SHA1
58b180568f77a147d272b46fa68789624b1cdd23
-
SHA256
e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3
-
SHA512
a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29
-
SSDEEP
384:YZyd4g98NaIyrRBb3yw+IEJiE7azsIij+ZsNO3PlpJKkkjh/TzF7pWnd/greT0pO:u8ywFrjb3ynRwuXQ/oo/+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
4.tcp.eu.ngrok.io:18018
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1720 Server.exe -
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Server.exe -
Loads dropped DLL 1 IoCs
Processes:
4ff6f79a49a97dc667f24ba8cda3a576.exepid process 1552 4ff6f79a49a97dc667f24ba8cda3a576.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 1720 Server.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe Token: 33 1720 Server.exe Token: SeIncBasePriorityPrivilege 1720 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4ff6f79a49a97dc667f24ba8cda3a576.exedescription pid process target process PID 1552 wrote to memory of 1720 1552 4ff6f79a49a97dc667f24ba8cda3a576.exe Server.exe PID 1552 wrote to memory of 1720 1552 4ff6f79a49a97dc667f24ba8cda3a576.exe Server.exe PID 1552 wrote to memory of 1720 1552 4ff6f79a49a97dc667f24ba8cda3a576.exe Server.exe PID 1552 wrote to memory of 1720 1552 4ff6f79a49a97dc667f24ba8cda3a576.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff6f79a49a97dc667f24ba8cda3a576.exe"C:\Users\Admin\AppData\Local\Temp\4ff6f79a49a97dc667f24ba8cda3a576.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54ff6f79a49a97dc667f24ba8cda3a576
SHA158b180568f77a147d272b46fa68789624b1cdd23
SHA256e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3
SHA512a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54ff6f79a49a97dc667f24ba8cda3a576
SHA158b180568f77a147d272b46fa68789624b1cdd23
SHA256e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3
SHA512a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD54ff6f79a49a97dc667f24ba8cda3a576
SHA158b180568f77a147d272b46fa68789624b1cdd23
SHA256e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3
SHA512a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29
-
memory/1552-54-0x0000000000EB0000-0x0000000000EC2000-memory.dmpFilesize
72KB
-
memory/1552-55-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1720-57-0x0000000000000000-mapping.dmp
-
memory/1720-60-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB