Overview

overview

10

Static

static

10

dridex

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    14-01-2022 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd.exe

  • Size

    42KB

  • MD5

    cc2f5f3dfe758d7d8621a7435a3f9b79

  • SHA1

    b6745fa897f2d7e2791b3f4014eaf05e08eac100

  • SHA256

    844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

  • SHA512

    c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

Score
10/10
njratfuriosevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Furios

C2

gghosting221.ddns.net:6202

Mutex

a618146538b273f7953a53ea719ce06d

Attributes
  • reg_key

    a618146538b273f7953a53ea719ce06d

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd.exe
    "C:\Users\Admin\AppData\Local\Temp\844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
        3⤵
          PID:2296
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM Exsample.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\System.exe
      MD5

      cc2f5f3dfe758d7d8621a7435a3f9b79

      SHA1

      b6745fa897f2d7e2791b3f4014eaf05e08eac100

      SHA256

      844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

      SHA512

      c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\System.exe
      MD5

      cc2f5f3dfe758d7d8621a7435a3f9b79

      SHA1

      b6745fa897f2d7e2791b3f4014eaf05e08eac100

      SHA256

      844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

      SHA512

      c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

      Download Submit

    • memory/920-121-0x0000000000000000-mapping.dmp

      Download

    • memory/2296-120-0x0000000000000000-mapping.dmp

      Download

    • memory/2632-116-0x0000000000000000-mapping.dmp

      Download

    • memory/2632-119-0x0000000000700000-0x0000000000701000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2668-115-0x00000000023D0000-0x00000000023D1000-memory.dmp

      Filesize

      4KB

      Download