Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2023 23:02
Behavioral task
behavioral1
Sample
9fbfec21731138df6ca9a8f18d02262b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9fbfec21731138df6ca9a8f18d02262b.exe
Resource
win10v2004-20230221-en
General
-
Target
9fbfec21731138df6ca9a8f18d02262b.exe
-
Size
43KB
-
MD5
9fbfec21731138df6ca9a8f18d02262b
-
SHA1
bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
-
SHA256
20323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
-
SHA512
ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
SSDEEP
384:tZyyV9xdW/IUyNZcP54Fi1OOOETDF56lhzYIij+ZsNO3PlpJKkkjh/TzF7pWnACl:HTDxIghNZ854Fi1lxDShuXQ/oZW+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
???
0.tcp.eu.ngrok.io:18362
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 9fbfec21731138df6ca9a8f18d02262b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 9fbfec21731138df6ca9a8f18d02262b.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exeServer.exepid process 4880 Server.exe 556 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9fbfec21731138df6ca9a8f18d02262b.exe\" .." 9fbfec21731138df6ca9a8f18d02262b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9fbfec21731138df6ca9a8f18d02262b.exe\" .." 9fbfec21731138df6ca9a8f18d02262b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exepid process 4656 9fbfec21731138df6ca9a8f18d02262b.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription pid process Token: SeDebugPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: 33 4656 9fbfec21731138df6ca9a8f18d02262b.exe Token: SeIncBasePriorityPrivilege 4656 9fbfec21731138df6ca9a8f18d02262b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9fbfec21731138df6ca9a8f18d02262b.exedescription pid process target process PID 4656 wrote to memory of 1792 4656 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe PID 4656 wrote to memory of 1792 4656 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe PID 4656 wrote to memory of 1792 4656 9fbfec21731138df6ca9a8f18d02262b.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fbfec21731138df6ca9a8f18d02262b.exe"C:\Users\Admin\AppData\Local\Temp\9fbfec21731138df6ca9a8f18d02262b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.logFilesize
507B
MD525d1b50e7c0d451f3d850eb54d27ca05
SHA1a238807715c70a335f54e80d4855644b21a9e870
SHA256650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA5124223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD59fbfec21731138df6ca9a8f18d02262b
SHA1bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
SHA25620323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
SHA512ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD59fbfec21731138df6ca9a8f18d02262b
SHA1bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
SHA25620323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
SHA512ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD59fbfec21731138df6ca9a8f18d02262b
SHA1bea9f533b6178d0be6ba7b4e1cc26ee05aff9cd7
SHA25620323c926f442b8e630948e1cf05151e95ced1d35792d0a86feba22296947326
SHA512ca49d9eae5f0a009f44bec10b11abc4f76d18b6394e91114be895caaedbc6dc4ad4a6ea8b0063b7c1613323dda479a722a93340426ef2c77722cce7f44014707
-
memory/4656-141-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4656-138-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4656-133-0x0000000000B80000-0x0000000000B92000-memory.dmpFilesize
72KB
-
memory/4656-142-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4656-143-0x00000000057D0000-0x00000000057DA000-memory.dmpFilesize
40KB
-
memory/4656-144-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/4656-137-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4656-136-0x0000000005810000-0x00000000058A2000-memory.dmpFilesize
584KB
-
memory/4656-135-0x0000000005C60000-0x0000000006204000-memory.dmpFilesize
5.6MB
-
memory/4656-134-0x00000000053C0000-0x000000000545C000-memory.dmpFilesize
624KB
-
memory/4880-147-0x0000000004D50000-0x0000000004D60000-memory.dmpFilesize
64KB