Overview

overview

10

Static

static

c4906d9e92...5b.exe

windows7_x64

10

c4906d9e92...5b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-07-2022 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe

  • Size

    168KB

  • MD5

    0ead8bf1a82f825a23acba001fa5d8f4

  • SHA1

    d53abb4494d355f6954cea7ba866588593934992

  • SHA256

    c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b

  • SHA512

    5fda6c76bb39547844114ded578f7881fa9433d8da45d4df67c48cc17a9fce90b90c918e9cc4611b6bb86cef444cb00b11f10d219d3d1eb33f713b4741f8dc05

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1234

Mutex

cc0012ca95288ee5cb550c3649e082f9

Attributes
  • reg_key

    cc0012ca95288ee5cb550c3649e082f9

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe
    "C:\Users\Admin\AppData\Local\Temp\c4906d9e92bbbb0302f3409adb459b9bc31f75282780a9a56b6bff2bc908715b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\ben.exe
      "C:\Users\Admin\AppData\Local\Temp\ben.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ben.exe" "ben.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ben.exe
    Filesize

    23KB

    MD5

    43e1b731ab30055f534ef2276eaa72fb

    SHA1

    9c648a33edca6b2c6ae54784c219da59a3682c3b

    SHA256

    e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239

    SHA512

    2e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ben.exe
    Filesize

    23KB

    MD5

    43e1b731ab30055f534ef2276eaa72fb

    SHA1

    9c648a33edca6b2c6ae54784c219da59a3682c3b

    SHA256

    e73557e8e6bdffcc0b3add262a502902101f6fa26822aded9c19bdc89135f239

    SHA512

    2e0b911c41004374e9bd54558a4ee5676c63c1ff8947a92c73d56b8e4f7fa3bc7d7f9aa5798520ce221a371eaf2a97ccdc0dd0791982b0fd70eb7f201d85da7c

    Download Submit
  • memory/2160-130-0x0000000000DE0000-0x0000000000E0A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2160-131-0x0000000005770000-0x000000000580C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2160-132-0x0000000005E20000-0x00000000063C4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2160-133-0x0000000005910000-0x00000000059A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2160-134-0x0000000005840000-0x000000000584A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2160-135-0x0000000005AB0000-0x0000000005B06000-memory.dmp
    Filesize

    344KB

    Download
  • memory/2348-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4948-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4948-139-0x000000006F700000-0x000000006FCB1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4948-141-0x000000006F700000-0x000000006FCB1000-memory.dmp
    Filesize

    5.7MB

    Download