Overview

overview

10

Static

static

10

StUpdate.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-07-2022 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    StUpdate.exe

  • Size

    93KB

  • MD5

    f2321adc190e7db9b1f3b85e88f7ae54

  • SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

  • SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

  • SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==

Mutex

fb116b75140ecc0173c4ba46bdb8d155

Attributes
  • reg_key

    fb116b75140ecc0173c4ba46bdb8d155

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"
    1⤵
    • Checks computer location settings
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe" "StUpdate.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:4996
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"
      2⤵
      • Modifies Windows Firewall
      PID:1524
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\StUpdate.exe" "StUpdate.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:3824
    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3108
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Modifies Windows Firewall
        PID:220
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:224
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
        3⤵
        • Creates scheduled task(s)
        PID:3864
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:2276
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log
    Filesize

    408B

    MD5

    661cab77d3b907e8057f2e689e995af3

    SHA1

    5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

    SHA256

    8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

    SHA512

    2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    Filesize

    93KB

    MD5

    f2321adc190e7db9b1f3b85e88f7ae54

    SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

    SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

    SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    Filesize

    93KB

    MD5

    f2321adc190e7db9b1f3b85e88f7ae54

    SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

    SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

    SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    Filesize

    93KB

    MD5

    f2321adc190e7db9b1f3b85e88f7ae54

    SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

    SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

    SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\melt.txt
    Filesize

    46B

    MD5

    06f835feb408ceb777ac17ef3735328e

    SHA1

    58a5cb1a0e0d6a45c8261ad9858041e61edc6871

    SHA256

    345c57e48ad5ee49b052a43766a306bcc8c4ef57e6a9805bf52aafe9678b084c

    SHA512

    41c6060bb670244f9ff81e2fb2205bd01182f9db460603b435d94bb58b5e152536243a10d0ab9b1138d722f97868f50ef30d4ac867307aa848943965a7177fe0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    Filesize

    93KB

    MD5

    f2321adc190e7db9b1f3b85e88f7ae54

    SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

    SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

    SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    Filesize

    93KB

    MD5

    f2321adc190e7db9b1f3b85e88f7ae54

    SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

    SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

    SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

    Download Submit
  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    4B

    MD5

    047dda8d29bbbf2b6e1c3f4212189eba

    SHA1

    eb10217bbf887b1ad9b984cb7a559b177e2c762a

    SHA256

    afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

    SHA512

    84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

    Download Submit
  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    4B

    MD5

    047dda8d29bbbf2b6e1c3f4212189eba

    SHA1

    eb10217bbf887b1ad9b984cb7a559b177e2c762a

    SHA256

    afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

    SHA512

    84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

    Download Submit
  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    4B

    MD5

    047dda8d29bbbf2b6e1c3f4212189eba

    SHA1

    eb10217bbf887b1ad9b984cb7a559b177e2c762a

    SHA256

    afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

    SHA512

    84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

    Download Submit
  • memory/220-141-0x0000000000000000-mapping.dmp
    Download
  • memory/224-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1056-155-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1056-153-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1524-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2252-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2252-145-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2252-139-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2276-149-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2276-151-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3108-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3336-130-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3336-138-0x0000000075220000-0x00000000757D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3824-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3864-144-0x0000000000000000-mapping.dmp
    Download
  • memory/4996-131-0x0000000000000000-mapping.dmp
    Download