Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 04:57
Behavioral task
behavioral1
Sample
360feb26856fd5accc8e656c23edaf38.exe
Resource
win7-20230220-en
General
-
Target
360feb26856fd5accc8e656c23edaf38.exe
-
Size
43KB
-
MD5
360feb26856fd5accc8e656c23edaf38
-
SHA1
1dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
-
SHA256
3278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
-
SHA512
75449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
SSDEEP
384:68ZyiQt3VarE8yTH/fq5WKOEnsDay0+TzEIij+ZsNO3PlpJKkkjh/TzF7pWnB/gm:66t63MY5Tffq5hGDFuXQ/oQ3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
5.tcp.eu.ngrok.io:19987
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1744 Dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
360feb26856fd5accc8e656c23edaf38.exepid process 1616 360feb26856fd5accc8e656c23edaf38.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Dllhost.exepid process 1744 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
Dllhost.exedescription pid process Token: SeDebugPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe Token: 33 1744 Dllhost.exe Token: SeIncBasePriorityPrivilege 1744 Dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
360feb26856fd5accc8e656c23edaf38.exedescription pid process target process PID 1616 wrote to memory of 1744 1616 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe PID 1616 wrote to memory of 1744 1616 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe PID 1616 wrote to memory of 1744 1616 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe PID 1616 wrote to memory of 1744 1616 360feb26856fd5accc8e656c23edaf38.exe Dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\360feb26856fd5accc8e656c23edaf38.exe"C:\Users\Admin\AppData\Local\Temp\360feb26856fd5accc8e656c23edaf38.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dllhost.exe"C:\Users\Admin\AppData\Roaming\Dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5360feb26856fd5accc8e656c23edaf38
SHA11dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
SHA2563278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
SHA51275449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
C:\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5360feb26856fd5accc8e656c23edaf38
SHA11dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
SHA2563278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
SHA51275449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
\Users\Admin\AppData\Roaming\Dllhost.exeFilesize
43KB
MD5360feb26856fd5accc8e656c23edaf38
SHA11dcc19bc5f4c2bc259b40c2ba2a92e8fb35ac288
SHA2563278da5825f2fa9fe2fae3a9cb16d3d8e3c47828c2258153e02567c7bc423fec
SHA51275449ad3efdbad7046d2bd29c89aed435498498957e5b14f21ca928100a023acab0514c5c206c86ba9830f60e96d0222310879d23e974d057cbdfdab54b0ba9d
-
memory/1616-54-0x0000000000F50000-0x0000000000F62000-memory.dmpFilesize
72KB
-
memory/1616-55-0x0000000004730000-0x0000000004770000-memory.dmpFilesize
256KB
-
memory/1744-63-0x0000000001150000-0x0000000001162000-memory.dmpFilesize
72KB
-
memory/1744-64-0x0000000004C40000-0x0000000004C80000-memory.dmpFilesize
256KB