Overview

overview

10

Static

static

10

hello.exe

windows7_x64

10

hello.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 22:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hello.exe

  • Size

    37KB

  • MD5

    f6578c4f484063121bb63109b543fb95

  • SHA1

    baae4772f958a85f2420a7c112f3b0ee02f962ce

  • SHA256

    c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e

  • SHA512

    882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c

Score
10/10
njratnextevasionpersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

NEXT

C2

109.197.196.135:9991

Mutex

413491cbe232876548b9b7cd8a1b451d

Attributes
  • reg_key

    413491cbe232876548b9b7cd8a1b451d

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

    suricata
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs 3 IoCs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hello.exe
    "C:\Users\Admin\AppData\Local\Temp\hello.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hello.exe" "hello.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:1612
    • C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe" "tmpEC5.tmp.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3992
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CompressConvert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:4768
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CompressConvert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:1860
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CompressConvert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
            PID:4696
          • C:\Users\Admin\Desktop\crazyinvers.exe
            "C:\Users\Admin\Desktop\crazyinvers.exe"
            3⤵
            • Executes dropped EXE
            PID:4340
        • C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exe"
          2⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Users\Admin\AppData\Roaming\dllhost.exe
            "C:\Users\Admin\AppData\Roaming\dllhost.exe"
            3⤵
            • Executes dropped EXE
            • Drops startup file
            • Adds Run key to start application
            • Drops autorun.inf file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE
              4⤵
              • Modifies Windows Firewall
              PID:3632

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exe
        Filesize

        37KB

        MD5

        73196f394725a9623d84a512cdddf6ce

        SHA1

        4d24d92f70b2cbce52b1b173162b8f504ee7752f

        SHA256

        ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

        SHA512

        9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exe
        Filesize

        37KB

        MD5

        73196f394725a9623d84a512cdddf6ce

        SHA1

        4d24d92f70b2cbce52b1b173162b8f504ee7752f

        SHA256

        ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

        SHA512

        9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe
        Filesize

        32KB

        MD5

        00b5c86717162d1d8b22334fe21b9041

        SHA1

        eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

        SHA256

        60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

        SHA512

        e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe
        Filesize

        32KB

        MD5

        00b5c86717162d1d8b22334fe21b9041

        SHA1

        eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

        SHA256

        60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

        SHA512

        e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

        Download Submit
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        Filesize

        37KB

        MD5

        73196f394725a9623d84a512cdddf6ce

        SHA1

        4d24d92f70b2cbce52b1b173162b8f504ee7752f

        SHA256

        ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

        SHA512

        9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        Filesize

        37KB

        MD5

        73196f394725a9623d84a512cdddf6ce

        SHA1

        4d24d92f70b2cbce52b1b173162b8f504ee7752f

        SHA256

        ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

        SHA512

        9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

        Download Submit
      • C:\Users\Admin\Desktop\crazyinvers.exe
        Filesize

        2.3MB

        MD5

        a44458813e819777013eb3e644d74362

        SHA1

        2dd0616ca78e22464cf0cf68ef7915358a16f9ee

        SHA256

        47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

        SHA512

        1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

        Download Submit
      • memory/1456-138-0x0000000000000000-mapping.dmp
        Download
      • memory/1456-146-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1456-141-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1612-131-0x0000000000000000-mapping.dmp
        Download
      • memory/1860-151-0x0000000000000000-mapping.dmp
        Download
      • memory/1988-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1988-147-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1988-149-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3632-148-0x0000000000000000-mapping.dmp
        Download
      • memory/3768-132-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3768-130-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3992-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4340-153-0x0000000000000000-mapping.dmp
        Download
      • memory/4696-152-0x0000000000000000-mapping.dmp
        Download
      • memory/4768-150-0x0000000000000000-mapping.dmp
        Download
      • memory/4804-136-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4804-142-0x0000000074690000-0x0000000074C41000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4804-133-0x0000000000000000-mapping.dmp
        Download