Overview

overview

10

Static

static

10

0df3ade3af...1f.exe

windows7_x64

10

0df3ade3af...1f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0df3ade3af4c875ce8e834ad1c4e8052148173d8d95e757454279454a11c311f.exe

  • Size

    4.8MB

  • MD5

    b34ac778e2e106c5d747e6f33f01a863

  • SHA1

    c17521f2ddb2a538158ce7f9cc44ada2f61c40aa

  • SHA256

    0df3ade3af4c875ce8e834ad1c4e8052148173d8d95e757454279454a11c311f

  • SHA512

    cee1861805d3875073410722e728570b185d5701a16d6c32c7adc54d2ad6e633f08dbc709f71ea3fbc151eb824830d6fb2ff63d08a3ccf4f15b74dc26da05c0f

Score
10/10
njratsystemevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

System

C2

videobabshering.ru:3389

Mutex

b21bc800264adb97f1965cc7df1cb800

Attributes
  • reg_key

    b21bc800264adb97f1965cc7df1cb800

  • splitter

    Y262SUCZ4UJJ

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0df3ade3af4c875ce8e834ad1c4e8052148173d8d95e757454279454a11c311f.exe
    "C:\Users\Admin\AppData\Local\Temp\0df3ade3af4c875ce8e834ad1c4e8052148173d8d95e757454279454a11c311f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\System.exe
        "C:\Windows\System.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\System.exe" "System.exe" ENABLE
          4⤵
            PID:1844
      • C:\Users\Admin\AppData\Local\Temp\Warface.exe
        "C:\Users\Admin\AppData\Local\Temp\Warface.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:1168

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      308336e7f515478969b24c13ded11ede

      SHA1

      8fb0cf42b77dbbef224a1e5fc38abc2486320775

      SHA256

      889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

      SHA512

      61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cf8f89d6f9830ce3f877e4f8becee2fd

      SHA1

      1361cf990f4fa029bdc4f87fa6d0374cccf71bc2

      SHA256

      c553313fa0f254780653c2bc8a1f39999478c7f1bcdcf317abcbaa0c6f76a14d

      SHA512

      b4d31717a6a534a9350ea243987f79c491bca28c17573b01d4b88ee240a1cea7cf029a01aef59ca54d1330a69db9fdee7de6eb5acd70cfcec96f2e84b8942890

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
      Filesize

      5KB

      MD5

      aa7c8fdb6f42762d1e8a6d81f74ad5cc

      SHA1

      f204f441677e719c25bd0673c46ff929eda6d22d

      SHA256

      f5d01f1625455c709d7bde86b623aa3f0486c5289d561ee786e4429317b90031

      SHA512

      e3bf2db421379cfc3bf987539b7e7c529fdb7bdcc78894a685b8ed833ad7c52196271ef6e55bb9ec96fb73406afc7043e8b695de7b4f49af5d8fa5e2543ec61d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      Filesize

      31KB

      MD5

      00850380b4844288abf6be0dfb391865

      SHA1

      bc4ec977aeacb084b50ff392868d49470ecfe841

      SHA256

      d58947ddc3ed978e0d4223382d8dc090bc69b41de5bf90ddf2885e708b8ee1d0

      SHA512

      4436c9eca2422ccc7f57cd3ff3b390c9d852e3ea10fe036b54cc2fabbcb00e459700d06fc254bb61067365348e2984d74e651cbc35a8d8036458c8f180776ad9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      Filesize

      31KB

      MD5

      00850380b4844288abf6be0dfb391865

      SHA1

      bc4ec977aeacb084b50ff392868d49470ecfe841

      SHA256

      d58947ddc3ed978e0d4223382d8dc090bc69b41de5bf90ddf2885e708b8ee1d0

      SHA512

      4436c9eca2422ccc7f57cd3ff3b390c9d852e3ea10fe036b54cc2fabbcb00e459700d06fc254bb61067365348e2984d74e651cbc35a8d8036458c8f180776ad9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Warface.exe
      Filesize

      4.7MB

      MD5

      5b8b41957540a193c2d3e4849a3c1c44

      SHA1

      f558fb2ff08f93cfe3441b7637a19cebde13d3c3

      SHA256

      2bf0d866559c542912f42e23325e140b3af0fce4da8e4e4f965104ac44e54efe

      SHA512

      cd51a483d444095426f9731e55565aa2b791ccd2cd5fe1ac1d7ff69c32bf611b0ae7c6d9bc452637ee4a82e5cc03452ad7d6137b3a94d6754362bb904224f6f8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DUTQXZIT.txt
      Filesize

      606B

      MD5

      97ae28bdb494acd1c396581b582cf43a

      SHA1

      270f53c84a293a52484988355259a8854c753a74

      SHA256

      4830f1abd3e92f074b3dc8c4b9e87fb302806b6c4491241e7de0ac319766b5c0

      SHA512

      2db04cadacc2e89c6fb0540d440247872720feba538378a5c6f94bbd04db01dd3342bdd99516919e132cbeb12eeea1142b9bbac586471cc1c71bdac15d1b8d3b

      Download Submit
    • C:\Windows\System.exe
      Filesize

      31KB

      MD5

      00850380b4844288abf6be0dfb391865

      SHA1

      bc4ec977aeacb084b50ff392868d49470ecfe841

      SHA256

      d58947ddc3ed978e0d4223382d8dc090bc69b41de5bf90ddf2885e708b8ee1d0

      SHA512

      4436c9eca2422ccc7f57cd3ff3b390c9d852e3ea10fe036b54cc2fabbcb00e459700d06fc254bb61067365348e2984d74e651cbc35a8d8036458c8f180776ad9

      Download Submit
    • C:\Windows\System.exe
      Filesize

      31KB

      MD5

      00850380b4844288abf6be0dfb391865

      SHA1

      bc4ec977aeacb084b50ff392868d49470ecfe841

      SHA256

      d58947ddc3ed978e0d4223382d8dc090bc69b41de5bf90ddf2885e708b8ee1d0

      SHA512

      4436c9eca2422ccc7f57cd3ff3b390c9d852e3ea10fe036b54cc2fabbcb00e459700d06fc254bb61067365348e2984d74e651cbc35a8d8036458c8f180776ad9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\System.exe
      Filesize

      31KB

      MD5

      00850380b4844288abf6be0dfb391865

      SHA1

      bc4ec977aeacb084b50ff392868d49470ecfe841

      SHA256

      d58947ddc3ed978e0d4223382d8dc090bc69b41de5bf90ddf2885e708b8ee1d0

      SHA512

      4436c9eca2422ccc7f57cd3ff3b390c9d852e3ea10fe036b54cc2fabbcb00e459700d06fc254bb61067365348e2984d74e651cbc35a8d8036458c8f180776ad9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Warface.exe
      Filesize

      4.7MB

      MD5

      5b8b41957540a193c2d3e4849a3c1c44

      SHA1

      f558fb2ff08f93cfe3441b7637a19cebde13d3c3

      SHA256

      2bf0d866559c542912f42e23325e140b3af0fce4da8e4e4f965104ac44e54efe

      SHA512

      cd51a483d444095426f9731e55565aa2b791ccd2cd5fe1ac1d7ff69c32bf611b0ae7c6d9bc452637ee4a82e5cc03452ad7d6137b3a94d6754362bb904224f6f8

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Warface.exe
      Filesize

      4.7MB

      MD5

      5b8b41957540a193c2d3e4849a3c1c44

      SHA1

      f558fb2ff08f93cfe3441b7637a19cebde13d3c3

      SHA256

      2bf0d866559c542912f42e23325e140b3af0fce4da8e4e4f965104ac44e54efe

      SHA512

      cd51a483d444095426f9731e55565aa2b791ccd2cd5fe1ac1d7ff69c32bf611b0ae7c6d9bc452637ee4a82e5cc03452ad7d6137b3a94d6754362bb904224f6f8

      Download Submit
    • memory/1000-65-0x0000000073D00000-0x00000000742AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1000-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1036-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1036-70-0x0000000073D00000-0x00000000742AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1448-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1800-54-0x0000000075C71000-0x0000000075C73000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1844-71-0x0000000000000000-mapping.dmp
      Download