Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 09:41
Behavioral task
behavioral1
Sample
bfb9595d41e726e7f998b787fde15fd6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bfb9595d41e726e7f998b787fde15fd6.exe
Resource
win10v2004-20220901-en
General
-
Target
bfb9595d41e726e7f998b787fde15fd6.exe
-
Size
43KB
-
MD5
bfb9595d41e726e7f998b787fde15fd6
-
SHA1
eebad9fbff85ee5196519f23e618d3338337ac59
-
SHA256
12fd0e3e4e6aad3b58924c8c7cdf9a8d5e2fba3624f679f32f9a0231d8a23a62
-
SHA512
034ce29a31196fa1dc2e43c9770e7c5d300eb1a69138b90e3a2ba316cae3ba90d7a22ae225cef9fa96b3d3636e3de4a8a19c7f3347ae824b7af2e35e3ed77a34
-
SSDEEP
384:MZySi5ctOnwtOyW6Z/gc2iEwPmAMcCb2IDa9D9O5UE5QzwBlpJNakkjh/TzF7pWJ:qqqAwt/W6dgc2iEweQCbpvQO+UD+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
6.tcp.eu.ngrok.io:19161
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 4548 systemupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bfb9595d41e726e7f998b787fde15fd6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bfb9595d41e726e7f998b787fde15fd6.exe -
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
bfb9595d41e726e7f998b787fde15fd6.exesystemupdate.exepid process 4956 bfb9595d41e726e7f998b787fde15fd6.exe 4548 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe Token: 33 4548 systemupdate.exe Token: SeIncBasePriorityPrivilege 4548 systemupdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bfb9595d41e726e7f998b787fde15fd6.exedescription pid process target process PID 4956 wrote to memory of 4548 4956 bfb9595d41e726e7f998b787fde15fd6.exe systemupdate.exe PID 4956 wrote to memory of 4548 4956 bfb9595d41e726e7f998b787fde15fd6.exe systemupdate.exe PID 4956 wrote to memory of 4548 4956 bfb9595d41e726e7f998b787fde15fd6.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb9595d41e726e7f998b787fde15fd6.exe"C:\Users\Admin\AppData\Local\Temp\bfb9595d41e726e7f998b787fde15fd6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
43KB
MD5bfb9595d41e726e7f998b787fde15fd6
SHA1eebad9fbff85ee5196519f23e618d3338337ac59
SHA25612fd0e3e4e6aad3b58924c8c7cdf9a8d5e2fba3624f679f32f9a0231d8a23a62
SHA512034ce29a31196fa1dc2e43c9770e7c5d300eb1a69138b90e3a2ba316cae3ba90d7a22ae225cef9fa96b3d3636e3de4a8a19c7f3347ae824b7af2e35e3ed77a34
-
C:\Users\Admin\AppData\Local\Temp\systemupdate.exeFilesize
43KB
MD5bfb9595d41e726e7f998b787fde15fd6
SHA1eebad9fbff85ee5196519f23e618d3338337ac59
SHA25612fd0e3e4e6aad3b58924c8c7cdf9a8d5e2fba3624f679f32f9a0231d8a23a62
SHA512034ce29a31196fa1dc2e43c9770e7c5d300eb1a69138b90e3a2ba316cae3ba90d7a22ae225cef9fa96b3d3636e3de4a8a19c7f3347ae824b7af2e35e3ed77a34
-
memory/4548-133-0x0000000000000000-mapping.dmp
-
memory/4548-137-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/4548-138-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/4956-132-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/4956-136-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB