Overview

overview

10

Static

static

Windows Se...in.exe

windows7_x64

10

Windows Se...in.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    25-09-2021 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Security Health Service.bin.exe

  • Size

    595KB

  • MD5

    ba38fee6928359b14d6ab46fd1c6a2e2

  • SHA1

    d0ffbbdb618a86af97c9a37f8d506cff3b91e377

  • SHA256

    1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310

  • SHA512

    c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

Score
10/10
njrathackedagilenetpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

blackhacked.ddns.net:5555

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.bin.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Security Health Service" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Security Health Service" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe"
        3⤵
        • Adds Run key to start application
        PID:596
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
      • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
          "C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
          4⤵
          • Executes dropped EXE
          PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.txt
    MD5

    07903b62ce8bb459ec9a63e2357df7bd

    SHA1

    bcfc3021586e12fb8723876ef0d0591feb843807

    SHA256

    c356075477c96a18087bcff4460b28748c53aab248a44507086f0c07ecd139a6

    SHA512

    734da0647de778f48721de3dfa7990e0d4e73a29deb08492bb88656a5a3cc3d7ea1436d2a48bc0e16cf2ef768386ddb1ee3a27faedc2837b2f4513f99113d831

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.txt
    MD5

    9f729a8bf65fccae42f1e29b2d4815dd

    SHA1

    8e0837f23d7c4613ba2b8a1c97322f3113f36907

    SHA256

    135c3c097924bdfa00852b86ddd83c2cdbcc908c4260c0eef137b3f1286a8d7e

    SHA512

    e4a3b1cded444561f5d2a89bc8fbffba2432e40a339354eb06b6dbb7368f6ffc0ffed92970dd6dde828d565ca84cd4d1786a985c3becc98baac84553d00fb167

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
    MD5

    ba38fee6928359b14d6ab46fd1c6a2e2

    SHA1

    d0ffbbdb618a86af97c9a37f8d506cff3b91e377

    SHA256

    1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310

    SHA512

    c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
    MD5

    ba38fee6928359b14d6ab46fd1c6a2e2

    SHA1

    d0ffbbdb618a86af97c9a37f8d506cff3b91e377

    SHA256

    1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310

    SHA512

    c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

    Download Submit
  • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
    MD5

    ba38fee6928359b14d6ab46fd1c6a2e2

    SHA1

    d0ffbbdb618a86af97c9a37f8d506cff3b91e377

    SHA256

    1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310

    SHA512

    c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

    Download Submit
  • memory/596-60-0x0000000000000000-mapping.dmp
    Download
  • memory/640-67-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/640-62-0x0000000000000000-mapping.dmp
    Download
  • memory/640-72-0x0000000000B00000-0x0000000000B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/640-71-0x0000000000BE0000-0x0000000000BEB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/640-70-0x0000000004EF1000-0x0000000004EF2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/640-65-0x0000000001070000-0x0000000001071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1140-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1264-84-0x0000000000E60000-0x0000000000E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1264-81-0x0000000000000000-mapping.dmp
    Download
  • memory/1380-78-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1380-76-0x000000000040837E-mapping.dmp
    Download
  • memory/1380-75-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1380-91-0x0000000000760000-0x0000000000761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1464-53-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1464-58-0x0000000004C91000-0x0000000004C92000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1464-57-0x0000000000D40000-0x0000000000D61000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1464-55-0x0000000004C90000-0x0000000004C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1748-88-0x0000000000000000-mapping.dmp
    Download