Overview

overview

10

Static

static

6c45909d63...2a.exe

windows7_x64

10

6c45909d63...2a.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 20:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe

  • Size

    563KB

  • MD5

    520d99a761256efa473281d597886d42

  • SHA1

    30fe6c541971404e7d51b0dfd47afd973481286c

  • SHA256

    6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a

  • SHA512

    6de782abf5b5db8b8215b872fa6015cf78597bf22eacaf6ff2e58cc4af2c166c3f912ae12c2266763189df2f9b0da5aaaa9f0713340205e95c37705a3a320821

Score
10/10
njratupload c.d.tevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Upload C.D.T

C2

office365update.duckdns.org:2000

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes
  • reg_key

    5cd8f17f4086744065eb0992a09e05a2

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe
    "C:\Users\Admin\AppData\Local\Temp\6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe
      C:\Users\Admin\AppData\Local\Temp\6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe" "6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a.exe" ENABLE
        3⤵
          PID:1436

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/700-56-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/700-58-0x00000000008A0000-0x00000000008A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/700-60-0x00000000008A5000-0x00000000008B6000-memory.dmp

      Filesize

      68KB

      Download

    • memory/960-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/960-55-0x0000000002160000-0x0000000002161000-memory.dmp

      Filesize

      4KB

      Download