Overview

overview

10

Static

static

10

cc2f5f3dfe...79.exe

windows7_x64

10

cc2f5f3dfe...79.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14-01-2022 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc2f5f3dfe758d7d8621a7435a3f9b79.exe

  • Size

    42KB

  • MD5

    cc2f5f3dfe758d7d8621a7435a3f9b79

  • SHA1

    b6745fa897f2d7e2791b3f4014eaf05e08eac100

  • SHA256

    844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

  • SHA512

    c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

Score
10/10
njratfuriosevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Furios

C2

gghosting221.ddns.net:6202

Mutex

a618146538b273f7953a53ea719ce06d

Attributes
  • reg_key

    a618146538b273f7953a53ea719ce06d

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc2f5f3dfe758d7d8621a7435a3f9b79.exe
    "C:\Users\Admin\AppData\Local\Temp\cc2f5f3dfe758d7d8621a7435a3f9b79.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
        3⤵
          PID:1460
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM Exsample.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1552

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\System.exe
      MD5

      cc2f5f3dfe758d7d8621a7435a3f9b79

      SHA1

      b6745fa897f2d7e2791b3f4014eaf05e08eac100

      SHA256

      844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

      SHA512

      c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\System.exe
      MD5

      cc2f5f3dfe758d7d8621a7435a3f9b79

      SHA1

      b6745fa897f2d7e2791b3f4014eaf05e08eac100

      SHA256

      844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

      SHA512

      c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

      Download Submit

    • \Users\Admin\AppData\Local\Temp\System.exe
      MD5

      cc2f5f3dfe758d7d8621a7435a3f9b79

      SHA1

      b6745fa897f2d7e2791b3f4014eaf05e08eac100

      SHA256

      844652fb604b2b25b8ed69569eac116f46bbdc219fbc8e4be0c55aa1e6454ffd

      SHA512

      c251250372928d0f0d2198d772c939c8a3b5a5ea5127ca7539a2c0ca728f81965ccda49f05d076a457019b9646eafa3b468fff9b86c7c158cff80b6012e02e13

      Download Submit

    • memory/1148-57-0x0000000000000000-mapping.dmp

      Download

    • memory/1148-61-0x0000000002070000-0x0000000002071000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1460-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1552-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1632-54-0x0000000076141000-0x0000000076143000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1632-55-0x0000000000B00000-0x0000000000B01000-memory.dmp

      Filesize

      4KB

      Download