Overview

overview

10

Static

static

B513104971...4F.exe

windows7_x64

10

B513104971...4F.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    14-09-2021 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe

  • Size

    189KB

  • MD5

    0e95218e1c1f7d8f18227ce0efc4a3b2

  • SHA1

    e9e8ae35e32e47c33f557d2deddb9e837450576a

  • SHA256

    b513104971c9e0c5b6721a523c9475701a67bb368a74f4b8254049569a8497fe

  • SHA512

    fa29aa2c09ab377c9eced2658474f60d418c363a4c4e318a7ed155688f55d80452f79414d76a31f56ca69b42363037764ada15145c6297c361cb281b631c34eb

Score
10/10
njratbackupevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BackUp

C2

dr-mesho.ddns.net:5552

Mutex

ce4ef724bbf43aa4dc51f763b9cf5592

Attributes
  • reg_key

    ce4ef724bbf43aa4dc51f763b9cf5592

  • splitter

    |'|'|

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe
    "C:\Users\Admin\AppData\Local\Temp\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\3582-490\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\msdocx.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Users\Admin\AppData\Local\Temp\msdocx.exe
          C:\Users\Admin\AppData\Local\Temp\msdocx.exe
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\system32\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\msdocx.exe" "msdocx.exe" ENABLE
            5⤵
              PID:1900

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe
      MD5

      ac14ae51115058b92aec2ca509e13a80

      SHA1

      72c73e0d53a6691c177ed7542a75b59b3435b9a3

      SHA256

      0a2c50b3e72f559823385b5522b1ca293f4ea587bff74a0cb130349e6781eaca

      SHA512

      74eb2e631a1ce8af64d404d9ec25e4c5752fa4175cc5faff3b3ba7ebfd19abef2e10ce54df325e671e269925de0cbc0713d84fda963a9963d27ea374ae56bcbc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe
      MD5

      ac14ae51115058b92aec2ca509e13a80

      SHA1

      72c73e0d53a6691c177ed7542a75b59b3435b9a3

      SHA256

      0a2c50b3e72f559823385b5522b1ca293f4ea587bff74a0cb130349e6781eaca

      SHA512

      74eb2e631a1ce8af64d404d9ec25e4c5752fa4175cc5faff3b3ba7ebfd19abef2e10ce54df325e671e269925de0cbc0713d84fda963a9963d27ea374ae56bcbc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\msdocx.exe
      MD5

      ac14ae51115058b92aec2ca509e13a80

      SHA1

      72c73e0d53a6691c177ed7542a75b59b3435b9a3

      SHA256

      0a2c50b3e72f559823385b5522b1ca293f4ea587bff74a0cb130349e6781eaca

      SHA512

      74eb2e631a1ce8af64d404d9ec25e4c5752fa4175cc5faff3b3ba7ebfd19abef2e10ce54df325e671e269925de0cbc0713d84fda963a9963d27ea374ae56bcbc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\msdocx.exe
      MD5

      ac14ae51115058b92aec2ca509e13a80

      SHA1

      72c73e0d53a6691c177ed7542a75b59b3435b9a3

      SHA256

      0a2c50b3e72f559823385b5522b1ca293f4ea587bff74a0cb130349e6781eaca

      SHA512

      74eb2e631a1ce8af64d404d9ec25e4c5752fa4175cc5faff3b3ba7ebfd19abef2e10ce54df325e671e269925de0cbc0713d84fda963a9963d27ea374ae56bcbc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
      MD5

      f947112a644be232a148e5debae0857e

      SHA1

      5e9907ea5a8ce0dc79e20a5853ac075da24908f7

      SHA256

      d6aecd2ec862fc1c1670da49d2916d471f5f8abfaac586af4aed53a47b0550d5

      SHA512

      9cf09edfc4607efbb9e72bfb81c36a2f9164dc9c8ce6fc36c0208f0bd9017e6ec468c04eef7dd1e31167ab4e4d12e33b93ae51ac7fdf2b4e480b37b2801ba057

      Download Submit
    • C:\Windows\svchost.com
      MD5

      aa962d6ec2961e8b1ba5739ddeb2e4b4

      SHA1

      c5aed4ad464c5720010ef764247a36721048c72f

      SHA256

      60cd79482f561687b17f8e4ab37bd42f69d431f93cd1b8ed4eb913be0e37fdb9

      SHA512

      3085c38208c7c134a7d58846322bbe4c717f9710cf22dd0aadc7402c2943d521637b5b8dfbfe8e01de3052504765544fa542e50dfb9d6989c8f92cdc4a00ecad

      Download Submit
    • C:\Windows\svchost.com
      MD5

      aa962d6ec2961e8b1ba5739ddeb2e4b4

      SHA1

      c5aed4ad464c5720010ef764247a36721048c72f

      SHA256

      60cd79482f561687b17f8e4ab37bd42f69d431f93cd1b8ed4eb913be0e37fdb9

      SHA512

      3085c38208c7c134a7d58846322bbe4c717f9710cf22dd0aadc7402c2943d521637b5b8dfbfe8e01de3052504765544fa542e50dfb9d6989c8f92cdc4a00ecad

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \PROGRA~2\Google\Temp\GUMB4FC.tmp\GOFB2B~1.EXE
      MD5

      583ff3367e050c4d62bc03516473b40a

      SHA1

      6aa1d26352b78310e711884829c35a69ed1bf0f9

      SHA256

      6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

      SHA512

      e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

      Download Submit
    • \PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE
      MD5

      583ff3367e050c4d62bc03516473b40a

      SHA1

      6aa1d26352b78310e711884829c35a69ed1bf0f9

      SHA256

      6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

      SHA512

      e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe
      MD5

      ac14ae51115058b92aec2ca509e13a80

      SHA1

      72c73e0d53a6691c177ed7542a75b59b3435b9a3

      SHA256

      0a2c50b3e72f559823385b5522b1ca293f4ea587bff74a0cb130349e6781eaca

      SHA512

      74eb2e631a1ce8af64d404d9ec25e4c5752fa4175cc5faff3b3ba7ebfd19abef2e10ce54df325e671e269925de0cbc0713d84fda963a9963d27ea374ae56bcbc

      Download Submit
    • \Users\Admin\AppData\Local\Temp\msdocx.exe
      MD5

      ac14ae51115058b92aec2ca509e13a80

      SHA1

      72c73e0d53a6691c177ed7542a75b59b3435b9a3

      SHA256

      0a2c50b3e72f559823385b5522b1ca293f4ea587bff74a0cb130349e6781eaca

      SHA512

      74eb2e631a1ce8af64d404d9ec25e4c5752fa4175cc5faff3b3ba7ebfd19abef2e10ce54df325e671e269925de0cbc0713d84fda963a9963d27ea374ae56bcbc

      Download Submit
    • memory/764-73-0x00000000010D0000-0x00000000010D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/764-76-0x000000001B340000-0x000000001B342000-memory.dmp
      Filesize

      8KB

      Download
    • memory/764-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1032-53-0x0000000075B51000-0x0000000075B53000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1736-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1888-58-0x0000000000F30000-0x0000000000F31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1888-64-0x000000001B130000-0x000000001B132000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1888-60-0x00000000002D0000-0x00000000002D6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1888-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1900-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1900-78-0x000007FEFB651000-0x000007FEFB653000-memory.dmp
      Filesize

      8KB

      Download