Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 14:14
Behavioral task
behavioral1
Sample
m4c050.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
m4c050.exe
Resource
win10v2004-20230220-en
General
-
Target
m4c050.exe
-
Size
43KB
-
MD5
104fe8e80032d42e1ba1118fd2049e8e
-
SHA1
d6e6695f27fdbce964983f611fc2f09534ea5a9d
-
SHA256
089c68cc6ef6d1af0201f210b0e88935e6756540aba5521969022b581e1a52e6
-
SHA512
d04f996e9399c0ab6b4a4f231e9307c37ea00f75e8c59a6072bfba159733f79cc90bb540c55508afffce0b00c6253f21846cfb6b3a759b89a6852c10fff7fe0a
-
SSDEEP
384:NZyUiFIB+oyitVv0O0EHafIuZzQIij+ZsNO3PlpJKkkjh/TzF7pWnp/greT0pqf7:nO+IliLvDW3uXQ/o0/+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
212.ip.ply.gg:16355
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1040 Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
m4c050.exepid process 1324 m4c050.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .." Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1040 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe Token: 33 1040 Dllhost.exe Token: SeIncBasePriorityPrivilege 1040 Dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
m4c050.exedescription pid process target process PID 1324 wrote to memory of 1040 1324 m4c050.exe Dllhost.exe PID 1324 wrote to memory of 1040 1324 m4c050.exe Dllhost.exe PID 1324 wrote to memory of 1040 1324 m4c050.exe Dllhost.exe PID 1324 wrote to memory of 1040 1324 m4c050.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\m4c050.exe"C:\Users\Admin\AppData\Local\Temp\m4c050.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5104fe8e80032d42e1ba1118fd2049e8e
SHA1d6e6695f27fdbce964983f611fc2f09534ea5a9d
SHA256089c68cc6ef6d1af0201f210b0e88935e6756540aba5521969022b581e1a52e6
SHA512d04f996e9399c0ab6b4a4f231e9307c37ea00f75e8c59a6072bfba159733f79cc90bb540c55508afffce0b00c6253f21846cfb6b3a759b89a6852c10fff7fe0a
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5104fe8e80032d42e1ba1118fd2049e8e
SHA1d6e6695f27fdbce964983f611fc2f09534ea5a9d
SHA256089c68cc6ef6d1af0201f210b0e88935e6756540aba5521969022b581e1a52e6
SHA512d04f996e9399c0ab6b4a4f231e9307c37ea00f75e8c59a6072bfba159733f79cc90bb540c55508afffce0b00c6253f21846cfb6b3a759b89a6852c10fff7fe0a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exeFilesize
43KB
MD5104fe8e80032d42e1ba1118fd2049e8e
SHA1d6e6695f27fdbce964983f611fc2f09534ea5a9d
SHA256089c68cc6ef6d1af0201f210b0e88935e6756540aba5521969022b581e1a52e6
SHA512d04f996e9399c0ab6b4a4f231e9307c37ea00f75e8c59a6072bfba159733f79cc90bb540c55508afffce0b00c6253f21846cfb6b3a759b89a6852c10fff7fe0a
-
\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5104fe8e80032d42e1ba1118fd2049e8e
SHA1d6e6695f27fdbce964983f611fc2f09534ea5a9d
SHA256089c68cc6ef6d1af0201f210b0e88935e6756540aba5521969022b581e1a52e6
SHA512d04f996e9399c0ab6b4a4f231e9307c37ea00f75e8c59a6072bfba159733f79cc90bb540c55508afffce0b00c6253f21846cfb6b3a759b89a6852c10fff7fe0a
-
memory/1040-63-0x0000000000A50000-0x0000000000A62000-memory.dmpFilesize
72KB
-
memory/1040-64-0x0000000004A60000-0x0000000004AA0000-memory.dmpFilesize
256KB
-
memory/1040-66-0x0000000004A60000-0x0000000004AA0000-memory.dmpFilesize
256KB
-
memory/1324-54-0x0000000000960000-0x0000000000972000-memory.dmpFilesize
72KB
-
memory/1324-55-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB