Overview

overview

10

Static

static

9d46b723ec...60.exe

windows7_x64

10

9d46b723ec...60.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d46b723ec666db3e73ae900c474d660.exe

  • Size

    290KB

  • MD5

    9d46b723ec666db3e73ae900c474d660

  • SHA1

    a801d00b65f847806ea5c2496c62efae283b3a94

  • SHA256

    80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

  • SHA512

    4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

Score
10/10
njratwormrattevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

WormRATT

C2

178.33.93.88:1742

Mutex

7869d44e9b90d6b1e669bf52c9e89c61

Attributes
  • reg_key

    7869d44e9b90d6b1e669bf52c9e89c61

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d46b723ec666db3e73ae900c474d660.exe
    "C:\Users\Admin\AppData\Local\Temp\9d46b723ec666db3e73ae900c474d660.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          4⤵
            PID:2328
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
          "C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4356
          • C:\Users\Admin\AppData\Local\Temp\Server.exe
            "C:\Users\Admin\AppData\Local\Temp\Server.exe"
            4⤵
            • Executes dropped EXE
            PID:4748
          • C:\Users\Admin\AppData\Local\Temp\install.exe
            "C:\Users\Admin\AppData\Local\Temp\install.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 2196
          3⤵
          • Program crash
          PID:1144
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2036 -ip 2036
      1⤵
        PID:3244

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
        Filesize

        319B

        MD5

        da4fafeffe21b7cb3a8c170ca7911976

        SHA1

        50ef77e2451ab60f93f4db88325b897d215be5ad

        SHA256

        7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

        SHA512

        0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        Filesize

        37KB

        MD5

        05d1abc69e538eb3c86bfeacc33c2a10

        SHA1

        f424222562968f86d5d043cce57b1a0389061150

        SHA256

        cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

        SHA512

        e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        Filesize

        37KB

        MD5

        05d1abc69e538eb3c86bfeacc33c2a10

        SHA1

        f424222562968f86d5d043cce57b1a0389061150

        SHA256

        cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

        SHA512

        e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        Filesize

        37KB

        MD5

        05d1abc69e538eb3c86bfeacc33c2a10

        SHA1

        f424222562968f86d5d043cce57b1a0389061150

        SHA256

        cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

        SHA512

        e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        Filesize

        22KB

        MD5

        f0fd76de624b9ba3c126c58a5911f891

        SHA1

        0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

        SHA256

        a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

        SHA512

        8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        Filesize

        22KB

        MD5

        f0fd76de624b9ba3c126c58a5911f891

        SHA1

        0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

        SHA256

        a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

        SHA512

        8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        Filesize

        22KB

        MD5

        f0fd76de624b9ba3c126c58a5911f891

        SHA1

        0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

        SHA256

        a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

        SHA512

        8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        37KB

        MD5

        05d1abc69e538eb3c86bfeacc33c2a10

        SHA1

        f424222562968f86d5d043cce57b1a0389061150

        SHA256

        cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

        SHA512

        e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        37KB

        MD5

        05d1abc69e538eb3c86bfeacc33c2a10

        SHA1

        f424222562968f86d5d043cce57b1a0389061150

        SHA256

        cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

        SHA512

        e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
        Filesize

        290KB

        MD5

        9d46b723ec666db3e73ae900c474d660

        SHA1

        a801d00b65f847806ea5c2496c62efae283b3a94

        SHA256

        80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

        SHA512

        4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
        Filesize

        290KB

        MD5

        9d46b723ec666db3e73ae900c474d660

        SHA1

        a801d00b65f847806ea5c2496c62efae283b3a94

        SHA256

        80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

        SHA512

        4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

        Download Submit
      • memory/1276-150-0x0000000005110000-0x000000000511A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1276-148-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-136-0x00000000001F0000-0x00000000001FC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2036-140-0x0000000004D00000-0x0000000004D92000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2036-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-139-0x0000000004C60000-0x0000000004CFC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2036-144-0x0000000006230000-0x0000000006296000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2036-137-0x0000000005210000-0x00000000057B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2328-156-0x0000000000000000-mapping.dmp
        Download
      • memory/2352-154-0x0000000074270000-0x0000000074821000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2352-151-0x0000000000000000-mapping.dmp
        Download
      • memory/4356-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4636-138-0x0000000074270000-0x0000000074821000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4636-130-0x0000000000000000-mapping.dmp
        Download
      • memory/4748-147-0x0000000074270000-0x0000000074821000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4748-145-0x0000000000000000-mapping.dmp
        Download