Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 19:37
Static task
static1
Behavioral task
behavioral1
Sample
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
Resource
win10v2004-20231215-en
General
-
Target
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
-
Size
25KB
-
MD5
0aa1ade344f3ae78bc65f3d506d99706
-
SHA1
dae7b9c5b1a82b5fc415cfe04a9bebc305454862
-
SHA256
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4
-
SHA512
7edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732
-
SSDEEP
384:5vcTzm3sU97IM7LFmEewqhXYYTO+VE+PTLhe557mA6VkMJpeC2agkxiVNQKTjoq:5vkgj98MfEEnXMbV7PAKlkcgZGK3oq
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe -
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 3016 systemupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exesystemupdate.exepid process 3064 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe 3016 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe Token: 33 3016 systemupdate.exe Token: SeIncBasePriorityPrivilege 3016 systemupdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exedescription pid process target process PID 3064 wrote to memory of 3016 3064 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe systemupdate.exe PID 3064 wrote to memory of 3016 3064 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe systemupdate.exe PID 3064 wrote to memory of 3016 3064 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe"C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\systemupdate.exe"C:\Users\Admin\AppData\Roaming\systemupdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\systemupdate.exeFilesize
25KB
MD50aa1ade344f3ae78bc65f3d506d99706
SHA1dae7b9c5b1a82b5fc415cfe04a9bebc305454862
SHA256ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4
SHA5127edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732
-
memory/3016-10-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmpFilesize
9.6MB
-
memory/3016-11-0x0000000001FF0000-0x0000000002070000-memory.dmpFilesize
512KB
-
memory/3016-12-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmpFilesize
9.6MB
-
memory/3016-14-0x0000000001FF0000-0x0000000002070000-memory.dmpFilesize
512KB
-
memory/3016-15-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmpFilesize
9.6MB
-
memory/3016-16-0x0000000001FF0000-0x0000000002070000-memory.dmpFilesize
512KB
-
memory/3064-0-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB
-
memory/3064-2-0x0000000000A20000-0x0000000000AA0000-memory.dmpFilesize
512KB
-
memory/3064-1-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmpFilesize
9.6MB
-
memory/3064-3-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmpFilesize
9.6MB
-
memory/3064-9-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmpFilesize
9.6MB