Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 06:54
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240412-en
General
-
Target
Server.exe
-
Size
43KB
-
MD5
ba1679841e5fe4d6e57fa247de4774a8
-
SHA1
8b99c2716c6c5359c452c744382801b6c66ce56c
-
SHA256
e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7
-
SHA512
68c75e7f98cbe2ad8bf68f8114f586d5ae0a922459fd9f1ef8b639ccdb7129c779195cdf9aa3970e10375c78ab9e59d50e41890c74f2edbbb44868b7ac0da2a8
-
SSDEEP
384:/ZyjVK7U8yrKWh7TtpEonj8lJ9UtzDgIij+ZsNO3PlpJKkkjh/TzF7pWn/G/greH:BUcY5rHh7Zvnj8l43uXQ/o33+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
returns-vary.gl.at.ply.gg:8188
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2812 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Server.exesvchost.exepid process 1008 Server.exe 2812 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe Token: 33 2812 svchost.exe Token: SeIncBasePriorityPrivilege 2812 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Server.exedescription pid process target process PID 1008 wrote to memory of 2812 1008 Server.exe svchost.exe PID 1008 wrote to memory of 2812 1008 Server.exe svchost.exe PID 1008 wrote to memory of 2812 1008 Server.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
43KB
MD5ba1679841e5fe4d6e57fa247de4774a8
SHA18b99c2716c6c5359c452c744382801b6c66ce56c
SHA256e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7
SHA51268c75e7f98cbe2ad8bf68f8114f586d5ae0a922459fd9f1ef8b639ccdb7129c779195cdf9aa3970e10375c78ab9e59d50e41890c74f2edbbb44868b7ac0da2a8
-
memory/1008-0-0x0000000000770000-0x0000000000782000-memory.dmpFilesize
72KB
-
memory/1008-2-0x0000000074C50000-0x0000000075400000-memory.dmpFilesize
7.7MB
-
memory/1008-1-0x00000000051C0000-0x000000000525C000-memory.dmpFilesize
624KB
-
memory/1008-3-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/1008-4-0x0000000005A10000-0x0000000005FB4000-memory.dmpFilesize
5.6MB
-
memory/1008-5-0x0000000005560000-0x00000000055F2000-memory.dmpFilesize
584KB
-
memory/1008-15-0x0000000074C50000-0x0000000075400000-memory.dmpFilesize
7.7MB
-
memory/2812-16-0x0000000074C50000-0x0000000075400000-memory.dmpFilesize
7.7MB
-
memory/2812-17-0x00000000057D0000-0x00000000057DA000-memory.dmpFilesize
40KB
-
memory/2812-18-0x0000000074C50000-0x0000000075400000-memory.dmpFilesize
7.7MB