Overview

overview

10

Static

static

10

93abd5fd56...c4.exe

windows7_x64

10

93abd5fd56...c4.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93abd5fd5684804d71380d38d29229c4.exe

  • Size

    93KB

  • MD5

    93abd5fd5684804d71380d38d29229c4

  • SHA1

    37fc6c58c910d7ed3ad47d25698f52f5a8f7aeb9

  • SHA256

    13f740ded52b5779a1087e1d7a333b622ad3ed80a962e4211e76adf42cc0765b

  • SHA512

    036f32739370925d2362aa28aaf543b90e2facb7859b2ca0c46c59bcc749ec74f6823c70a20b50fd580a9ec77846c58a946ae933e404fc603b689d30bf095b0a

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

Ni50Y3Aubmdyb2suaW8Strik:MTk5MzA=

Mutex

8ed939d5d78ac3a222ff6581695b4837

Attributes
  • reg_key

    8ed939d5d78ac3a222ff6581695b4837

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 4 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93abd5fd5684804d71380d38d29229c4.exe
    "C:\Users\Admin\AppData\Local\Temp\93abd5fd5684804d71380d38d29229c4.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\93abd5fd5684804d71380d38d29229c4.exe" "93abd5fd5684804d71380d38d29229c4.exe" ENABLE
      2⤵
        PID:3532
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\93abd5fd5684804d71380d38d29229c4.exe"
        2⤵
          PID:4020
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\93abd5fd5684804d71380d38d29229c4.exe" "93abd5fd5684804d71380d38d29229c4.exe" ENABLE
          2⤵
            PID:4036
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:1636

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
          MD5

          93abd5fd5684804d71380d38d29229c4

          SHA1

          37fc6c58c910d7ed3ad47d25698f52f5a8f7aeb9

          SHA256

          13f740ded52b5779a1087e1d7a333b622ad3ed80a962e4211e76adf42cc0765b

          SHA512

          036f32739370925d2362aa28aaf543b90e2facb7859b2ca0c46c59bcc749ec74f6823c70a20b50fd580a9ec77846c58a946ae933e404fc603b689d30bf095b0a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
          MD5

          93abd5fd5684804d71380d38d29229c4

          SHA1

          37fc6c58c910d7ed3ad47d25698f52f5a8f7aeb9

          SHA256

          13f740ded52b5779a1087e1d7a333b622ad3ed80a962e4211e76adf42cc0765b

          SHA512

          036f32739370925d2362aa28aaf543b90e2facb7859b2ca0c46c59bcc749ec74f6823c70a20b50fd580a9ec77846c58a946ae933e404fc603b689d30bf095b0a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\app
          MD5

          8f11404a507cfb98455f89a534077f73

          SHA1

          0716c668f504450353527aff1a6457b8348cf435

          SHA256

          f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb

          SHA512

          85403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492

          Download Submit

        • memory/1636-119-0x0000000000000000-mapping.dmp

          Download

        • memory/1636-123-0x0000000003001000-0x0000000003002000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3376-115-0x0000000000A20000-0x0000000000A21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3532-116-0x0000000000000000-mapping.dmp

          Download

        • memory/4020-117-0x0000000000000000-mapping.dmp

          Download

        • memory/4036-118-0x0000000000000000-mapping.dmp

          Download