Overview

overview

10

Static

static

a695fd4ed1...0e.exe

windows7_x64

10

a695fd4ed1...0e.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e.exe

  • Size

    95KB

  • MD5

    84d0e1ba5112fab7c140af72a3dbef79

  • SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

  • SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

  • SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

Score
10/10
njrattopherpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

C2

neooo.duckdns.org:5554

Mutex

Windows Services

Attributes
  • reg_key

    Windows Services

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e.exe
    "C:\Users\Admin\AppData\Local\Temp\a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Roaming\AnyOTP.exe
      "C:\Users\Admin\AppData\Roaming\AnyOTP.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        3⤵
        • Creates scheduled task(s)
        PID:1696
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A0501A71-EBA8-4B77-962B-90405AF397E0} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      PID:736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    95KB

    MD5

    84d0e1ba5112fab7c140af72a3dbef79

    SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

    SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

    SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    95KB

    MD5

    84d0e1ba5112fab7c140af72a3dbef79

    SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

    SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

    SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    95KB

    MD5

    84d0e1ba5112fab7c140af72a3dbef79

    SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

    SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

    SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AnyOTP.exe
    Filesize

    95KB

    MD5

    84d0e1ba5112fab7c140af72a3dbef79

    SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

    SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

    SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AnyOTP.exe
    Filesize

    95KB

    MD5

    84d0e1ba5112fab7c140af72a3dbef79

    SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

    SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

    SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

    Download Submit
  • \Users\Admin\AppData\Roaming\AnyOTP.exe
    Filesize

    95KB

    MD5

    84d0e1ba5112fab7c140af72a3dbef79

    SHA1

    946080098ddf196d57ea4007be58913f4daaba8a

    SHA256

    a695fd4ed17d1fd92b9e6e8208b44a01ac0e98315b4d6b3495edb6c60914e50e

    SHA512

    b029c73dd94e7592024a08967b0879df73374cddf51ee8d383be4b74ff44d41c97be570b2d04888debe1e8164477936b2d93ddc7c8bc98c38cf59c051f35a826

    Download Submit
  • memory/736-72-0x0000000000060000-0x000000000007E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/736-70-0x0000000000000000-mapping.dmp
    Download
  • memory/996-67-0x0000000000000000-mapping.dmp
    Download
  • memory/996-69-0x0000000000140000-0x000000000015E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1396-63-0x00000000003C0000-0x00000000003D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1396-62-0x0000000000150000-0x000000000016E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1396-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-65-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-54-0x0000000000930000-0x000000000094E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2016-57-0x0000000075191000-0x0000000075193000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2016-56-0x0000000000200000-0x0000000000212000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2016-55-0x0000000000360000-0x0000000000380000-memory.dmp
    Filesize

    128KB

    Download