Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    21-05-2022 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba.exe

  • Size

    290KB

  • MD5

    9d46b723ec666db3e73ae900c474d660

  • SHA1

    a801d00b65f847806ea5c2496c62efae283b3a94

  • SHA256

    80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

  • SHA512

    4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

Score
10/10
njratwormrattevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

WormRATT

C2

178.33.93.88:1742

Mutex

7869d44e9b90d6b1e669bf52c9e89c61

Attributes
  • reg_key

    7869d44e9b90d6b1e669bf52c9e89c61

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba.exe
    "C:\Users\Admin\AppData\Local\Temp\80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          4⤵
            PID:1628
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
          "C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Users\Admin\AppData\Local\Temp\Server.exe
            "C:\Users\Admin\AppData\Local\Temp\Server.exe"
            4⤵
            • Executes dropped EXE
            PID:2024
          • C:\Users\Admin\AppData\Local\Temp\install.exe
            "C:\Users\Admin\AppData\Local\Temp\install.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1860
          3⤵
          • Program crash
          PID:2052

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
      Filesize

      319B

      MD5

      6b5a2c06d34c86bcc8aacc3a739fd362

      SHA1

      54fc90eaa12ba9251414e8dac83fdae08819ee42

      SHA256

      1492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68

      SHA512

      228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      37KB

      MD5

      05d1abc69e538eb3c86bfeacc33c2a10

      SHA1

      f424222562968f86d5d043cce57b1a0389061150

      SHA256

      cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

      SHA512

      e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      37KB

      MD5

      05d1abc69e538eb3c86bfeacc33c2a10

      SHA1

      f424222562968f86d5d043cce57b1a0389061150

      SHA256

      cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

      SHA512

      e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      37KB

      MD5

      05d1abc69e538eb3c86bfeacc33c2a10

      SHA1

      f424222562968f86d5d043cce57b1a0389061150

      SHA256

      cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

      SHA512

      e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      Filesize

      22KB

      MD5

      f0fd76de624b9ba3c126c58a5911f891

      SHA1

      0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

      SHA256

      a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

      SHA512

      8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      Filesize

      22KB

      MD5

      f0fd76de624b9ba3c126c58a5911f891

      SHA1

      0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

      SHA256

      a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

      SHA512

      8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      Filesize

      22KB

      MD5

      f0fd76de624b9ba3c126c58a5911f891

      SHA1

      0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

      SHA256

      a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

      SHA512

      8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      37KB

      MD5

      05d1abc69e538eb3c86bfeacc33c2a10

      SHA1

      f424222562968f86d5d043cce57b1a0389061150

      SHA256

      cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

      SHA512

      e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      37KB

      MD5

      05d1abc69e538eb3c86bfeacc33c2a10

      SHA1

      f424222562968f86d5d043cce57b1a0389061150

      SHA256

      cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

      SHA512

      e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
      Filesize

      290KB

      MD5

      9d46b723ec666db3e73ae900c474d660

      SHA1

      a801d00b65f847806ea5c2496c62efae283b3a94

      SHA256

      80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

      SHA512

      4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
      Filesize

      290KB

      MD5

      9d46b723ec666db3e73ae900c474d660

      SHA1

      a801d00b65f847806ea5c2496c62efae283b3a94

      SHA256

      80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

      SHA512

      4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

      Download Submit
    • memory/1296-127-0x0000000073340000-0x00000000738F0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1296-118-0x0000000000000000-mapping.dmp
      Download
    • memory/1628-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2024-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2024-139-0x0000000073340000-0x00000000738F0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2548-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2548-138-0x0000000005890000-0x0000000005922000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2548-140-0x0000000003190000-0x000000000319A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2592-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2592-144-0x0000000073340000-0x00000000738F0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3112-124-0x0000000000440000-0x000000000044C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3112-132-0x00000000062D0000-0x0000000006336000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3112-126-0x0000000004E40000-0x0000000004EDC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3112-125-0x00000000052A0000-0x000000000579E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3112-121-0x0000000000000000-mapping.dmp
      Download
    • memory/3352-128-0x0000000000000000-mapping.dmp
      Download