Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-01-2023 23:21
Behavioral task
behavioral1
Sample
0edd453764ea4156966727e07bcec79a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0edd453764ea4156966727e07bcec79a.exe
Resource
win10v2004-20220812-en
General
-
Target
0edd453764ea4156966727e07bcec79a.exe
-
Size
47KB
-
MD5
0edd453764ea4156966727e07bcec79a
-
SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2
-
SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
-
SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
SSDEEP
384:wZyqjwolYxOoyi0ytYcm6MNiMFQVa9D9O5UE5QzwBlpJNakkjh/TzF7pWnn1grel:2IouIli0kYDviqWvQO+er+L4X
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
7.tcp.eu.ngrok.io:10504
Discord Update
-
reg_key
Discord Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 1956 systemupdate.exe -
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe systemupdate.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe systemupdate.exe -
Loads dropped DLL 1 IoCs
Processes:
0edd453764ea4156966727e07bcec79a.exepid process 1720 0edd453764ea4156966727e07bcec79a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
systemupdate.exepid process 1956 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe Token: 33 1956 systemupdate.exe Token: SeIncBasePriorityPrivilege 1956 systemupdate.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0edd453764ea4156966727e07bcec79a.exedescription pid process target process PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 1720 wrote to memory of 1956 1720 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe"C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
47KB
MD50edd453764ea4156966727e07bcec79a
SHA1892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA2565dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA51224df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
47KB
MD50edd453764ea4156966727e07bcec79a
SHA1892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA2565dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA51224df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
47KB
MD50edd453764ea4156966727e07bcec79a
SHA1892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA2565dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA51224df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
memory/1720-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1720-55-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1720-61-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1956-57-0x0000000000000000-mapping.dmp
-
memory/1956-62-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/1956-63-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB