Overview

overview

10

Static

static

17fc7c0ec5...cd.exe

windows7_x64

10

17fc7c0ec5...cd.exe

windows10_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    181s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-01-2022 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe

  • Size

    150KB

  • MD5

    acd58bb34bb275de1570917624ade609

  • SHA1

    6def2bdaca8e08d3fd4363da008e6395cb0db49f

  • SHA256

    17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd

  • SHA512

    79f51605b85b497240d8187697008a2f2dc4bd0f498c721825726e560de7189a8fcc818d10f2daf807c05dcc5be5f7b2de62cfe72d4ed6acb4586d8075b72d3e

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

moh-2014.linkpc.net:55

Mutex

8e3bc91142bd8d798a10a1667ae4d2be

Attributes
  • reg_key

    8e3bc91142bd8d798a10a1667ae4d2be

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe
    "C:\Users\Admin\AppData\Local\Temp\17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe" "17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe" ENABLE
      2⤵
        PID:3356

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2708-115-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/2708-116-0x0000000004A70000-0x0000000004F6E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2708-117-0x0000000004900000-0x0000000004992000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2708-118-0x0000000004F70000-0x000000000500C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2708-119-0x0000000005080000-0x0000000005081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2708-120-0x0000000004A20000-0x0000000004A2A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2708-121-0x00000000051A0000-0x00000000051AE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2708-122-0x00000000051C0000-0x00000000051CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2708-123-0x0000000005083000-0x0000000005085000-memory.dmp
      Filesize

      8KB

      Download