Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 04:56
Behavioral task
behavioral1
Sample
360feb26856fd5accc8e656c23edaf38.exe
Resource
win7-20230220-en
General
-
Target
360feb26856fd5accc8e656c23edaf38.exe
-
Size
43KB
-
MD5
360feb26856fd5accc8e656c23edaf38
-
SHA1
1dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
-
SHA256
3278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
-
SHA512
75449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
SSDEEP
384:68ZyiQt3VarE8yTH/fq5WKOEnsDay0+TzEIij+ZsNO3PlpJKkkjh/TzF7pWnB/gm:66t63MY5Tffq5hGDFuXQ/oQ3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
5.tcp.eu.ngrok.io:19987
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
360feb26856fd5accc8e656c23edaf38.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 360feb26856fd5accc8e656c23edaf38.exe -
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 2124 Dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
360feb26856fd5accc8e656c23edaf38.exeDllhost.exepid process 3192 360feb26856fd5accc8e656c23edaf38.exe 2124 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe Token: 33 2124 Dllhost.exe Token: SeIncBasePriorityPrivilege 2124 Dllhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
360feb26856fd5accc8e656c23edaf38.exedescription pid process target process PID 3192 wrote to memory of 2124 3192 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe PID 3192 wrote to memory of 2124 3192 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe PID 3192 wrote to memory of 2124 3192 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\360feb26856fd5accc8e656c23edaf38.exe"C:\Users\Admin\AppData\Local\Temp\360feb26856fd5accc8e656c23edaf38.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5360feb26856fd5accc8e656c23edaf38
SHA11dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
SHA2563278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
SHA51275449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5360feb26856fd5accc8e656c23edaf38
SHA11dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
SHA2563278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
SHA51275449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5360feb26856fd5accc8e656c23edaf38
SHA11dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
SHA2563278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
SHA51275449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
memory/2124-147-0x0000000005970000-0x0000000005980000-memory.dmpFilesize
64KB
-
memory/2124-148-0x0000000005B20000-0x0000000005B2A000-memory.dmpFilesize
40KB
-
memory/2124-149-0x0000000005D60000-0x0000000005DC6000-memory.dmpFilesize
408KB
-
memory/2124-150-0x0000000005970000-0x0000000005980000-memory.dmpFilesize
64KB
-
memory/3192-133-0x0000000000FF0000-0x0000000001002000-memory.dmpFilesize
72KB
-
memory/3192-134-0x00000000059E0000-0x0000000005A7C000-memory.dmpFilesize
624KB
-
memory/3192-135-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/3192-136-0x0000000006230000-0x00000000067D4000-memory.dmpFilesize
5.6MB
-
memory/3192-137-0x0000000005DA0000-0x0000000005E32000-memory.dmpFilesize
584KB