Overview

overview

10

Static

static

3834a5a4cb...3d.exe

windows7_x64

10

3834a5a4cb...3d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe

  • Size

    3.8MB

  • MD5

    4252f2ca6c16c3406294894a496714bb

  • SHA1

    549d7f01ab15ba44b77bcb4601929b19efe21619

  • SHA256

    3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d

  • SHA512

    8db3820e025871a8e410ab5ccde92526fc31c1095e06757e9efd697aa0289e4199a9384b4006fe5f4026a02222a34c43cb893e3e030ab1e6cdf757f1a9c4760d

Score
10/10
njratsentryevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Sentry

C2

connertyler58.ddns.net:5537

Mutex

bee015c03df24a72bb52e5f747515b7e

Attributes
  • reg_key

    bee015c03df24a72bb52e5f747515b7e

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
    "C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
      "C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
        C:\Users\Admin\AppData\Local\Temp/Sentry_MBA.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1200
      • C:\Users\Admin\AppData\Local\Temp\Serve.exe
        C:\Users\Admin\AppData\Local\Temp/Serve.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Users\Admin\AppData\Local\Temp\Sentry.exe
          "C:\Users\Admin\AppData\Local\Temp\Sentry.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Sentry.exe" "Sentry.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
    Filesize

    4.0MB

    MD5

    1f2b981bfc803ac08b55f59528c3ce4e

    SHA1

    df106e0905f71f801e56947142c52d85e83b06e5

    SHA256

    208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

    SHA512

    e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
    Filesize

    4.0MB

    MD5

    1f2b981bfc803ac08b55f59528c3ce4e

    SHA1

    df106e0905f71f801e56947142c52d85e83b06e5

    SHA256

    208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

    SHA512

    e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Sentry.exe
    Filesize

    23KB

    MD5

    1f0e83e8c080cba527f0681efcc85d59

    SHA1

    250a4f504db39447d76b3e86e8c29fdca51e5aaa

    SHA256

    12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

    SHA512

    3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Sentry.exe
    Filesize

    23KB

    MD5

    1f0e83e8c080cba527f0681efcc85d59

    SHA1

    250a4f504db39447d76b3e86e8c29fdca51e5aaa

    SHA256

    12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

    SHA512

    3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
    Filesize

    5.3MB

    MD5

    8c1d28b620a6c5e5a9978a871dcfd04f

    SHA1

    274f59cf34efda4013a98147f2d3d8bcd198b467

    SHA256

    9a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb

    SHA512

    4718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
    Filesize

    5.3MB

    MD5

    8c1d28b620a6c5e5a9978a871dcfd04f

    SHA1

    274f59cf34efda4013a98147f2d3d8bcd198b467

    SHA256

    9a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb

    SHA512

    4718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Serve.exe
    Filesize

    23KB

    MD5

    1f0e83e8c080cba527f0681efcc85d59

    SHA1

    250a4f504db39447d76b3e86e8c29fdca51e5aaa

    SHA256

    12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

    SHA512

    3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Serve.exe
    Filesize

    23KB

    MD5

    1f0e83e8c080cba527f0681efcc85d59

    SHA1

    250a4f504db39447d76b3e86e8c29fdca51e5aaa

    SHA256

    12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

    SHA512

    3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

    Download Submit
  • memory/1200-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2904-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2904-144-0x0000000072F70000-0x0000000073521000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2904-145-0x0000000072F70000-0x0000000073521000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4260-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4260-139-0x0000000072F70000-0x0000000073521000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4260-143-0x0000000072F70000-0x0000000073521000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4588-146-0x0000000000000000-mapping.dmp
    Download