Overview

overview

10

Static

static

078e63578c...15.exe

windows7_x64

10

078e63578c...15.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe

  • Size

    350KB

  • MD5

    5d06ee3b0572ce04a5e53e25233dc693

  • SHA1

    0aad02d7f40c706876c82bec8a2b67a1b81b678c

  • SHA256

    078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615

  • SHA512

    7ac400882991331e077af57cad5ebdd7d0614c5c1f24ca397865a9f80c3bfe8d4f68e0a00ca807a05196a0d1acef95f3fce0cc2d4efe8e9a21e9f71e61415787

Score
10/10
njrathackpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

hack

C2

gazik500.ddns.net:4444

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 17 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
    "C:\Users\Admin\AppData\Local\Temp\078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\Dannie.exe
      "C:\Users\Admin\AppData\Local\Temp\Dannie.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Program Files (x86)\d;\server.exe
        "C:\Program Files (x86)\d;\server.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:384
    • C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\166740_after.png" /ForceBootstrapPaint3D
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3264
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:5072
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3516
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
      1⤵
        PID:4616

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\d;\Server.exe
        Filesize

        43KB

        MD5

        4890d2eb768ec17a3a6ee2ab12209d74

        SHA1

        9bc2b46e4760e26bf95541b13a39348dfa0b2680

        SHA256

        1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

        SHA512

        78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

        Download Submit
      • C:\Program Files (x86)\d;\server.exe
        Filesize

        43KB

        MD5

        4890d2eb768ec17a3a6ee2ab12209d74

        SHA1

        9bc2b46e4760e26bf95541b13a39348dfa0b2680

        SHA256

        1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

        SHA512

        78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Dannie.exe
        Filesize

        304KB

        MD5

        58c9d12aa7923001d6811467593d9f3a

        SHA1

        006c7e47c382a2699fcbc1acc55b4b2b280a3397

        SHA256

        eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b

        SHA512

        34e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Dannie.exe
        Filesize

        304KB

        MD5

        58c9d12aa7923001d6811467593d9f3a

        SHA1

        006c7e47c382a2699fcbc1acc55b4b2b280a3397

        SHA256

        eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b

        SHA512

        34e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        43KB

        MD5

        4890d2eb768ec17a3a6ee2ab12209d74

        SHA1

        9bc2b46e4760e26bf95541b13a39348dfa0b2680

        SHA256

        1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

        SHA512

        78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        43KB

        MD5

        4890d2eb768ec17a3a6ee2ab12209d74

        SHA1

        9bc2b46e4760e26bf95541b13a39348dfa0b2680

        SHA256

        1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

        SHA512

        78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

        Download Submit
      • memory/384-141-0x0000000000000000-mapping.dmp
        Download
      • memory/384-144-0x0000000005B40000-0x0000000005B4A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1916-139-0x0000000006120000-0x00000000066C4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1916-140-0x0000000005C10000-0x0000000005CA2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1916-138-0x00000000057B0000-0x000000000584C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1916-137-0x0000000000E50000-0x0000000000E62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1916-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3264-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3472-130-0x0000000000000000-mapping.dmp
        Download