Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2023 23:21
Behavioral task
behavioral1
Sample
0edd453764ea4156966727e07bcec79a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0edd453764ea4156966727e07bcec79a.exe
Resource
win10v2004-20220812-en
General
-
Target
0edd453764ea4156966727e07bcec79a.exe
-
Size
47KB
-
MD5
0edd453764ea4156966727e07bcec79a
-
SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2
-
SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
-
SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
SSDEEP
384:wZyqjwolYxOoyi0ytYcm6MNiMFQVa9D9O5UE5QzwBlpJNakkjh/TzF7pWnn1grel:2IouIli0kYDviqWvQO+er+L4X
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
7.tcp.eu.ngrok.io:10504
Discord Update
-
reg_key
Discord Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 532 systemupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0edd453764ea4156966727e07bcec79a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0edd453764ea4156966727e07bcec79a.exe -
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe systemupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe systemupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
0edd453764ea4156966727e07bcec79a.exesystemupdate.exepid process 4808 0edd453764ea4156966727e07bcec79a.exe 532 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe Token: 33 532 systemupdate.exe Token: SeIncBasePriorityPrivilege 532 systemupdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0edd453764ea4156966727e07bcec79a.exedescription pid process target process PID 4808 wrote to memory of 532 4808 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 4808 wrote to memory of 532 4808 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe PID 4808 wrote to memory of 532 4808 0edd453764ea4156966727e07bcec79a.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe"C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
47KB
MD50edd453764ea4156966727e07bcec79a
SHA1892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA2565dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA51224df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
47KB
MD50edd453764ea4156966727e07bcec79a
SHA1892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA2565dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA51224df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
-
memory/532-133-0x0000000000000000-mapping.dmp
-
memory/532-137-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/532-138-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4808-132-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4808-136-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB