Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-01-2023 00:46
Behavioral task
behavioral1
Sample
bfbae8700482430e437f19775ec2300c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bfbae8700482430e437f19775ec2300c.exe
Resource
win10v2004-20221111-en
General
-
Target
bfbae8700482430e437f19775ec2300c.exe
-
Size
43KB
-
MD5
bfbae8700482430e437f19775ec2300c
-
SHA1
37b64267becf1a36ed3b59e092b9c6e436669d02
-
SHA256
9d4fa86ae4f8aa26980f7dc2d8761901643b698c50b40ddf0477bfacd8a1e9d3
-
SHA512
fa70371ae55f4f77f2afd342fa8e00741c809b9e6885b98e52fa6375832d5c95bf045d2b276cad2ce6df6dd33b6782ad5163e53a4f06b350b8d61e1eb4341c08
-
SSDEEP
384:2ZyON3vxdW/IUyNZmd5yFivUwaMbt156lbC9D9O5UE5QzwBlpJNakkjh/TzF7pWS:sB/xIghNZk5yFivd9tilvQO+3D+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
2.tcp.eu.ngrok.io:10724
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 1548 systemupdate.exe -
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe -
Loads dropped DLL 1 IoCs
Processes:
bfbae8700482430e437f19775ec2300c.exepid process 1976 bfbae8700482430e437f19775ec2300c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
systemupdate.exepid process 1548 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe Token: 33 1548 systemupdate.exe Token: SeIncBasePriorityPrivilege 1548 systemupdate.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
bfbae8700482430e437f19775ec2300c.exedescription pid process target process PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe PID 1976 wrote to memory of 1548 1976 bfbae8700482430e437f19775ec2300c.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfbae8700482430e437f19775ec2300c.exe"C:\Users\Admin\AppData\Local\Temp\bfbae8700482430e437f19775ec2300c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
43KB
MD5bfbae8700482430e437f19775ec2300c
SHA137b64267becf1a36ed3b59e092b9c6e436669d02
SHA2569d4fa86ae4f8aa26980f7dc2d8761901643b698c50b40ddf0477bfacd8a1e9d3
SHA512fa70371ae55f4f77f2afd342fa8e00741c809b9e6885b98e52fa6375832d5c95bf045d2b276cad2ce6df6dd33b6782ad5163e53a4f06b350b8d61e1eb4341c08
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
43KB
MD5bfbae8700482430e437f19775ec2300c
SHA137b64267becf1a36ed3b59e092b9c6e436669d02
SHA2569d4fa86ae4f8aa26980f7dc2d8761901643b698c50b40ddf0477bfacd8a1e9d3
SHA512fa70371ae55f4f77f2afd342fa8e00741c809b9e6885b98e52fa6375832d5c95bf045d2b276cad2ce6df6dd33b6782ad5163e53a4f06b350b8d61e1eb4341c08
-
\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
43KB
MD5bfbae8700482430e437f19775ec2300c
SHA137b64267becf1a36ed3b59e092b9c6e436669d02
SHA2569d4fa86ae4f8aa26980f7dc2d8761901643b698c50b40ddf0477bfacd8a1e9d3
SHA512fa70371ae55f4f77f2afd342fa8e00741c809b9e6885b98e52fa6375832d5c95bf045d2b276cad2ce6df6dd33b6782ad5163e53a4f06b350b8d61e1eb4341c08
-
memory/1548-57-0x0000000000000000-mapping.dmp
-
memory/1548-62-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1548-63-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1976-55-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1976-61-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB