Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-04-2023 23:02
Behavioral task
behavioral1
Sample
9fbfec21731138df6ca9a8f18d02262b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9fbfec21731138df6ca9a8f18d02262b.exe
Resource
win10v2004-20230221-en
General
-
Target
9fbfec21731138df6ca9a8f18d02262b.exe
-
Size
43KB
-
MD5
9fbfec21731138df6ca9a8f18d02262b
-
SHA1
bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
-
SHA256
20323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
-
SHA512
ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
SSDEEP
384:tZyyV9xdW/IUyNZcP54Fi1OOOETDF56lhzYIij+ZsNO3PlpJKkkjh/TzF7pWnACl:HTDxIghNZ854Fi1lxDShuXQ/oZW+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
???
0.tcp.eu.ngrok.io:18362
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 9fbfec21731138df6ca9a8f18d02262b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 9fbfec21731138df6ca9a8f18d02262b.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exeServer.exepid process 1684 Server.exe 992 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9fbfec21731138df6ca9a8f18d02262b.exe\" .." 9fbfec21731138df6ca9a8f18d02262b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9fbfec21731138df6ca9a8f18d02262b.exe\" .." 9fbfec21731138df6ca9a8f18d02262b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exepid process 1996 9fbfec21731138df6ca9a8f18d02262b.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription pid process Token: SeDebugPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 1996 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 1996 9fbfec21731138df6ca9a8f18d02262b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exetaskeng.exedescription pid process target process PID 1996 wrote to memory of 924 1996 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe PID 1996 wrote to memory of 924 1996 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe PID 1996 wrote to memory of 924 1996 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe PID 1996 wrote to memory of 924 1996 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe PID 1032 wrote to memory of 1684 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 1684 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 1684 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 1684 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 992 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 992 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 992 1032 taskeng.exe Server.exe PID 1032 wrote to memory of 992 1032 taskeng.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fbfec21731138df6ca9a8f18d02262b.exe"C:\Users\Admin\AppData\Local\Temp\9fbfec21731138df6ca9a8f18d02262b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {6D0023E1-6F01-4F1A-8F4F-39A184CA945C} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD59fbfec21731138df6ca9a8f18d02262b
SHA1bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
SHA25620323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
SHA512ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD59fbfec21731138df6ca9a8f18d02262b
SHA1bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
SHA25620323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
SHA512ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD59fbfec21731138df6ca9a8f18d02262b
SHA1bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
SHA25620323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
SHA512ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
memory/992-62-0x0000000000FC0000-0x0000000000FD2000-memory.dmpFilesize
72KB
-
memory/1684-60-0x00000000002B0000-0x00000000002C2000-memory.dmpFilesize
72KB
-
memory/1996-54-0x00000000013B0000-0x00000000013C2000-memory.dmpFilesize
72KB
-
memory/1996-55-0x0000000004CB0000-0x0000000004CF0000-memory.dmpFilesize
256KB