Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 06:54
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240412-en
General
-
Target
Server.exe
-
Size
43KB
-
MD5
ba1679841e5fe4d6e57fa247de4774a8
-
SHA1
8b99c2716c6c5359c452c744382801b6c66ce56c
-
SHA256
e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7
-
SHA512
68c75e7f98cbe2ad8bf68f8114f586d5ae0a922459fd9f1ef8b639ccdb7129c779195cdf9aa3970e10375c78ab9e59d50e41890c74f2edbbb44868b7ac0da2a8
-
SSDEEP
384:/ZyjVK7U8yrKWh7TtpEonj8lJ9UtzDgIij+ZsNO3PlpJKkkjh/TzF7pWn/G/greH:BUcY5rHh7Zvnj8l43uXQ/o33+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
returns-vary.gl.at.ply.gg:8188
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3040 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
Server.exepid process 2200 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Server.exesvchost.exepid process 2200 Server.exe 3040 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe Token: 33 3040 svchost.exe Token: SeIncBasePriorityPrivilege 3040 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Server.exedescription pid process target process PID 2200 wrote to memory of 3040 2200 Server.exe svchost.exe PID 2200 wrote to memory of 3040 2200 Server.exe svchost.exe PID 2200 wrote to memory of 3040 2200 Server.exe svchost.exe PID 2200 wrote to memory of 3040 2200 Server.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
43KB
MD5ba1679841e5fe4d6e57fa247de4774a8
SHA18b99c2716c6c5359c452c744382801b6c66ce56c
SHA256e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7
SHA51268c75e7f98cbe2ad8bf68f8114f586d5ae0a922459fd9f1ef8b639ccdb7129c779195cdf9aa3970e10375c78ab9e59d50e41890c74f2edbbb44868b7ac0da2a8
-
memory/2200-0-0x0000000000D90000-0x0000000000DA2000-memory.dmpFilesize
72KB
-
memory/2200-1-0x00000000743A0000-0x0000000074A8E000-memory.dmpFilesize
6.9MB
-
memory/2200-2-0x0000000002240000-0x0000000002280000-memory.dmpFilesize
256KB
-
memory/2200-3-0x0000000002240000-0x0000000002280000-memory.dmpFilesize
256KB
-
memory/2200-14-0x00000000743A0000-0x0000000074A8E000-memory.dmpFilesize
6.9MB
-
memory/3040-11-0x0000000000E70000-0x0000000000E82000-memory.dmpFilesize
72KB
-
memory/3040-12-0x00000000743A0000-0x0000000074A8E000-memory.dmpFilesize
6.9MB
-
memory/3040-13-0x0000000004CB0000-0x0000000004CF0000-memory.dmpFilesize
256KB
-
memory/3040-15-0x00000000743A0000-0x0000000074A8E000-memory.dmpFilesize
6.9MB
-
memory/3040-16-0x0000000004CB0000-0x0000000004CF0000-memory.dmpFilesize
256KB