Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 19:40
Static task
static1
Behavioral task
behavioral1
Sample
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
Resource
win10v2004-20231215-en
General
-
Target
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
-
Size
25KB
-
MD5
0aa1ade344f3ae78bc65f3d506d99706
-
SHA1
dae7b9c5b1a82b5fc415cfe04a9bebc305454862
-
SHA256
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4
-
SHA512
7edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732
-
SSDEEP
384:5vcTzm3sU97IM7LFmEewqhXYYTO+VE+PTLhe557mA6VkMJpeC2agkxiVNQKTjoq:5vkgj98MfEEnXMbV7PAKlkcgZGK3oq
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
system
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe -
Drops startup file 2 IoCs
Processes:
systemupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe systemupdate.exe -
Executes dropped EXE 1 IoCs
Processes:
systemupdate.exepid process 5016 systemupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systemupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .." systemupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .." systemupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exesystemupdate.exepid process 3280 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe 5016 systemupdate.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
systemupdate.exedescription pid process Token: SeDebugPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe Token: 33 5016 systemupdate.exe Token: SeIncBasePriorityPrivilege 5016 systemupdate.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exedescription pid process target process PID 3280 wrote to memory of 5016 3280 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe systemupdate.exe PID 3280 wrote to memory of 5016 3280 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe systemupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe"C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\systemupdate.exe"C:\Users\Admin\AppData\Roaming\systemupdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\systemupdate.exeFilesize
25KB
MD50aa1ade344f3ae78bc65f3d506d99706
SHA1dae7b9c5b1a82b5fc415cfe04a9bebc305454862
SHA256ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4
SHA5127edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732
-
memory/3280-16-0x00007FFE02500000-0x00007FFE02EA1000-memory.dmpFilesize
9.6MB
-
memory/3280-5-0x000000001C610000-0x000000001C6B6000-memory.dmpFilesize
664KB
-
memory/3280-0-0x00007FFE02500000-0x00007FFE02EA1000-memory.dmpFilesize
9.6MB
-
memory/3280-4-0x000000001BB40000-0x000000001BB52000-memory.dmpFilesize
72KB
-
memory/3280-2-0x00007FFE02500000-0x00007FFE02EA1000-memory.dmpFilesize
9.6MB
-
memory/3280-6-0x000000001C9D0000-0x000000001CA6C000-memory.dmpFilesize
624KB
-
memory/3280-1-0x000000001C020000-0x000000001C4EE000-memory.dmpFilesize
4.8MB
-
memory/3280-3-0x0000000001600000-0x0000000001610000-memory.dmpFilesize
64KB
-
memory/5016-18-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/5016-19-0x0000000001420000-0x0000000001432000-memory.dmpFilesize
72KB
-
memory/5016-17-0x00007FFE02500000-0x00007FFE02EA1000-memory.dmpFilesize
9.6MB
-
memory/5016-20-0x00007FFE02500000-0x00007FFE02EA1000-memory.dmpFilesize
9.6MB
-
memory/5016-22-0x0000000001440000-0x0000000001448000-memory.dmpFilesize
32KB
-
memory/5016-23-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/5016-24-0x00007FFE02500000-0x00007FFE02EA1000-memory.dmpFilesize
9.6MB
-
memory/5016-25-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/5016-26-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB