Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 06:31

General

  • Target

    111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe

  • Size

    1.7MB

  • MD5

    5de44904fb635506bc43de4fe10c1d38

  • SHA1

    b7800af591a87fe99577786b98aa09107e0c4fc8

  • SHA256

    111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d

  • SHA512

    a6462530b591c8222e7cfff9767a412f93ca5d39c56098a5f69724ca606eed70365b904b23939a8dac6aa8bbe398d1aec145d4054af2c4c24d1d757a1e82a73b

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Zombie

C2

pussy.n-e.kr:5552

Mutex

b62c95af1d1020e4f746a6e36fa2ec48

Attributes
  • reg_key

    b62c95af1d1020e4f746a6e36fa2ec48

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Modifies Windows Firewall 1 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe
    "C:\Users\Admin\AppData\Local\Temp\111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE
        3⤵
          PID:2564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1292-130-0x0000000077980000-0x0000000077B23000-memory.dmp
      Filesize

      1.6MB

    • memory/1292-131-0x0000000000310000-0x0000000000772000-memory.dmp
      Filesize

      4.4MB

    • memory/1292-132-0x0000000000310000-0x0000000000772000-memory.dmp
      Filesize

      4.4MB

    • memory/1292-133-0x0000000000310000-0x0000000000772000-memory.dmp
      Filesize

      4.4MB

    • memory/1292-134-0x0000000008110000-0x00000000086B4000-memory.dmp
      Filesize

      5.6MB

    • memory/1292-135-0x0000000007AB0000-0x0000000007B42000-memory.dmp
      Filesize

      584KB

    • memory/1292-136-0x0000000007A50000-0x0000000007A5A000-memory.dmp
      Filesize

      40KB

    • memory/2564-140-0x0000000000000000-mapping.dmp
    • memory/3480-137-0x0000000000000000-mapping.dmp
    • memory/3480-138-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

    • memory/3480-139-0x0000000004F30000-0x0000000004FCC000-memory.dmp
      Filesize

      624KB