Overview

overview

10

Static

static

10

Black Adam (2022).exe

windows7_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-07-2022 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Black Adam (2022).exe

  • Size

    37KB

  • MD5

    1f60289917bb553067c148fd238b24a5

  • SHA1

    9540097003c4586b5e5de3103dd7a473b33398e9

  • SHA256

    4c8b3ba90bc41a271d9c24139d39728c469112945f413fdc368338f39b7be356

  • SHA512

    9f047b3be3c30924d688ed2160b8ec6c655dd6da579164e69368b754d607aa2ab4b432d3603e70af0dffe1ecf20be876d146b0f124998d88876b15ec54544118

Score
10/10
njratлошокevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Лошок

C2

194.71.126.120:17954

Mutex

13d65a76848c880b980676c6c1cc6341

Attributes
  • reg_key

    13d65a76848c880b980676c6c1cc6341

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Black Adam (2022).exe
    "C:\Users\Admin\AppData\Local\Temp\Black Adam (2022).exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\Dllhost.exe
      "C:\Windows\Dllhost.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Dllhost.exe" "Dllhost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2016
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\AddRedo.wmv
    Filesize

    853KB

    MD5

    7d5d9eaec8d23ece8daaf6532d86d6df

    SHA1

    17614c3418bfdd71f365cf885a6d4c033b3a7c8e

    SHA256

    87d27850165786a2aa0096b497ea777ba1dd3a767151611f8dcd19c8e75b281e

    SHA512

    dd47acc26f79c5a7851345a32fee354b32e0faa6dd9b22b3299cd39bcc0f8219ed2a5722bc14578a9b2f8b5decc85c9cabdd964fda7ba563b9837c29ee5cc17b

    Download Submit
  • C:\Users\Admin\Desktop\AssertRedo.raw
    Filesize

    483KB

    MD5

    d28a1f5063bc7d3572194e7344c2648b

    SHA1

    0a88b81c4e73a98d83c7d2e8c96875123341ede9

    SHA256

    e81f9caddff9bdf7d640723a6a2fa9f6ea3ecfe89eb15725f8262e6ff482f663

    SHA512

    f824494029205d80980554779b7377b5c72609c2b6665d9ab39be207e98f55286e64e0bacdf38a2b9236d70bc586769fc2e093a2e61e29ef1d3e61537921f587

    Download Submit
  • C:\Users\Admin\Desktop\BlockSwitch.clr
    Filesize

    711KB

    MD5

    917e9b78d49f89ed18ed915fd4a549e5

    SHA1

    30eae544e16084318ddf42986039f02ebd78ccd7

    SHA256

    2727f9f62695f0211af6422afdd282926c1cb4c0df0bbca07a07f7ffa0ed2643

    SHA512

    a9097d9c6c0fb0ad8ca1084f6343a58aa72a9d88383001086637c11d328a549aa3946d1eea6b58087778c5e3ad9accc78a7e47e3474391f7193835d726b2fa67

    Download Submit
  • C:\Users\Admin\Desktop\CheckpointSend.ex_
    Filesize

    597KB

    MD5

    dfefd7093d823a5516cbb586e29a96d2

    SHA1

    ad836ae43fd6c14f393a18d8fae2bc188771cd9a

    SHA256

    fb9fe101595543266b5e60352803b7a82f504fc330ff84c74dfda653884ea512

    SHA512

    cf4c87ab6f0df349b071e0c34407afddfecdc528b184abde1874b0cf815af506b9436b152b9337894fe9af4db57c80422699656e616c3ee8497d0e34555a714d

    Download Submit
  • C:\Users\Admin\Desktop\DisconnectRestart.MOD
    Filesize

    881KB

    MD5

    a366e8c35c73a758231d56d7d759b814

    SHA1

    772de4f2a106b80b87034a720c1d21f6e5434dc6

    SHA256

    11707b02a3b7cea012f8c09a096dcdd6722ef105e56a0def0f9065097b7f690d

    SHA512

    7ee10284c61343f7726d04d66431d6acbb3df88f4840ea2c211a12f4501743e3d9fbc7d096bc6d75f63615b3c682375e36b38094a6eac23dcefe7c87e5bcd5e7

    Download Submit
  • C:\Users\Admin\Desktop\ExitInvoke.ppsx
    Filesize

    767KB

    MD5

    68d9c048a4d60895fc2b2746aac58c50

    SHA1

    975d22b92d5955c30be11a1809664a45a90b948b

    SHA256

    8404d83c7dacf0511bb137c3549c8bbf01c1b8f0fba5d3295bfc57424bf47b46

    SHA512

    c2db7b28b0a08b35ede62341154344cc4337812e8f1d29b958072f6571509c55fd8953dfa9d39ac8ec840a2b44eb37e9a2b55b7002930a6857007c7fc9aa976b

    Download Submit
  • C:\Users\Admin\Desktop\InitializeUnlock.mpa
    Filesize

    540KB

    MD5

    c9231c08279cfcee939ea8b1aebb80e1

    SHA1

    4e6fb6f33db522e40d76f97f912d1e949991901f

    SHA256

    c0d37c557013c5489fa6e2256c796fe9d25cfafccffa29eaa26c322f7dd30fe2

    SHA512

    9db58d911096bbed2e39fb0dcece84a669775f122696419119f930b91bebb20ccf98d8389d9211aef8e68338fc0b82073305b0144ee9ee01f42ba6f34ff73fb2

    Download Submit
  • C:\Users\Admin\Desktop\InstallSync.wmx
    Filesize

    398KB

    MD5

    5d79fac8d352f3edae6cb9967a3ccc6e

    SHA1

    67e2ebb318b49ca08de051c0e37a3c2c44c5a17e

    SHA256

    d1b3815b94950f48b35b3fa223b5293f85fb9b34f8f4a37eaf0a42d393949d90

    SHA512

    010867fc1c4fc343f2c6bef271e6bcf6cbd5cbbaef26c49f07a5d3ffd08979e3cb0d2daf8a24b6baf88b79c49f9d816a392a97d649d6f140f86e58a74c71a771

    Download Submit
  • C:\Users\Admin\Desktop\LockConvertTo.ods
    Filesize

    682KB

    MD5

    ba4f94c50bb91b403787b5bb456cf48b

    SHA1

    7b665eb73eb36f26698f0156c6f87d78b2c2d7a2

    SHA256

    6a341bc619d15250264233d6cdcf83148c283cfd877ceb09a6abc77bc9d6b6ae

    SHA512

    e41b913d86ae3b16fa1147ee41a04e9de30f94841c484d2ba69f662810ac5c0730df755b37b734be311149b6bb55ce7f1dfb9a4ce7d45eea98850a155a73c678

    Download Submit
  • C:\Users\Admin\Desktop\LockRepair.mpe
    Filesize

    824KB

    MD5

    6e963dfd2c4b2194e6277d4dc8c33611

    SHA1

    7d4c8720c8578fbd730dc758b5a4de0936f59a71

    SHA256

    23e00a7b79df54e9cb59d77e58496a0d0a92dbbbbae75589e68fa9914d209cd5

    SHA512

    ecb495ceafe3be7d199376c502ac533d76889a9ff48b7b396685a46951cd6f0dc6386d6afb7ea6bb38cf7c52bcffeef4bcb659d034598c48fe161ba4b1e37c0f

    Download Submit
  • C:\Users\Admin\Desktop\PublishDisable.vdx
    Filesize

    739KB

    MD5

    b5d1c754b147828138898d3f02fc4d1a

    SHA1

    5fd31a125232742607f25c81118057ac9297e39e

    SHA256

    c76159001e13ce30543d318a4ea5a27501b3ddacb328be94ff7beb3b80f9cd4d

    SHA512

    2a694ca7ba4ce3c17bedc1a5dd451f020ebd9a2561437d79f364a5e25b17ca942ed1e5c49ed7ce06add6c57bb3d4a44f871fa10625bc2808080fae3b41b2c729

    Download Submit
  • C:\Users\Admin\Desktop\PublishMerge.htm
    Filesize

    568KB

    MD5

    90fc4d0faa32572562a2fa16a54d9225

    SHA1

    6aca2d290968200ffddb07a3543f6ef4637f92f3

    SHA256

    75ea6e130e0811a42d10ed65cc84f945ea2350b8d51be3359b85b8b6da88c580

    SHA512

    aaf1d02a1abadcabdca724bc2fe22168663427699ca8aa4f12a6c9128216662a0283c51543c2c5e29e7f02efaf45879b9c0c754ca6f27c97abf3e9cfedfe3949

    Download Submit
  • C:\Users\Admin\Desktop\ReceiveCheckpoint.wmv
    Filesize

    511KB

    MD5

    be9a8494ed54e16fab0b4e547e7d16dc

    SHA1

    e0073038700463acf5d19158b27f40256aeb3980

    SHA256

    b41fc456a8b26a00a54aae6fa716778ef31215938da6f19d16ed349bcf930833

    SHA512

    49f9a5094aa45ba98ea978cf3a87235e6ba158d6b12e872432fd6af79942149a4fa7cb9d99c4d9560c0f682748dbfbd7ab33653ea4739ed31a9c2508f615aed8

    Download Submit
  • C:\Users\Admin\Desktop\RemoveStep.wmv
    Filesize

    967KB

    MD5

    81276504ef3e1beb36cfbc3d29b9cf31

    SHA1

    114dc162de04b45e3c15f0bcd89d7dcb7d4ec2cc

    SHA256

    ea61a65abbcf11bb3fb2b6c68adffe4ae536fa0de4bc29843ce386d176fbb7d1

    SHA512

    7a38d86b6e5e93c245fcb19da28ebceb1189652d7aed4f1e462590a9e39a2e9985206ac2566a5ba48f4ed16fec74fa36b5a2c895c5edb8b4089ddaf66159d8c5

    Download Submit
  • C:\Users\Admin\Desktop\RenameWrite.mht
    Filesize

    938KB

    MD5

    3e1c8b54e08e299a799ae61fdc09d9f4

    SHA1

    5e981467b77910e47add4d192357a16af0a7c850

    SHA256

    f64f5e505b87f81b5555466cda1540a8581ff91287b86763f28616b8098c2d1b

    SHA512

    960b7301a40943d13c7810ca7271ee3dbf52e3e74c504c0312dc5e00b6e760ad8caf51929ca03cbf0150ac5f7917771d5b8e9e509dba4ec65f1e58ff86f4109a

    Download Submit
  • C:\Users\Admin\Desktop\StartDeny.bmp
    Filesize

    426KB

    MD5

    e840121f209801c42fcf3f1a863dca2a

    SHA1

    7859d55985993b16a3c4fd3388ee273bbd9fc026

    SHA256

    7a53c802139a4763cd2f20fbb06f8d1c95b26d421153749185337e5885e6037a

    SHA512

    dca5229356eef81322efc80e22bd8942cfe62f5786d5085d550236e477bca13f20329f705317effdc2e89413f0446facd0ad984581ab045c76b5412dd2ea37e4

    Download Submit
  • C:\Users\Admin\Desktop\SubmitBackup.MTS
    Filesize

    796KB

    MD5

    c085adf3c82697b12c29029ec4663438

    SHA1

    b785eef354eb8fcee38b606cd0022dea2008fc7b

    SHA256

    00f30bb12a5dfc172b66491285fc9092b79859fdadf3aff8167259dfdcb020bf

    SHA512

    3f25fc127c105282a5d61ac7eea330d1975e20cd485700a0043ed51e3f0457b981aaa86f4762cb5fe91bcbbc2bd38c435dd1b49f42a52fdce073f3ed6cc23577

    Download Submit
  • C:\Users\Admin\Desktop\TestConvertFrom.asx
    Filesize

    369KB

    MD5

    0e93fab73f4efa674555035469ef5967

    SHA1

    a9fd5f7208aa5c927ddfc7a614224a73d54c8079

    SHA256

    ca153777d2b412e6a9c440a01e1935623765341c07b6c67b0e74b75ab336731e

    SHA512

    c5c6d5a111b5abb2fb6a728d4773cbc23db217dd90f77aa123cca07c40e7898a9800580412277a567fcd4ae00a1b56f0a828782e3722d827511803fbd6b836dc

    Download Submit
  • C:\Users\Admin\Desktop\TraceMove.vsd
    Filesize

    654KB

    MD5

    3fa3e9abf5aab3be78e7e3dbdcfc13e7

    SHA1

    5bd737e076aefb1fcb6612207d30aa7691f4312c

    SHA256

    920d29de0791d17c81f89d57668c8091cd36d5dc308728c73701b4f18207f6e8

    SHA512

    97b531d04ad12da1bea9680003e9a7676d490510da67dd58353051ac23f57d2b4ad207fd2733c87554c9c45c22ee7d74e8b4d3184b8ae5fbd076093aca695a4e

    Download Submit
  • C:\Users\Admin\Desktop\TracePing.csv
    Filesize

    910KB

    MD5

    fc77950d4bfcbd43c4c10ad146efebe1

    SHA1

    4e1b8e5bfb925d6853bff78d4f6d5d779261097b

    SHA256

    e22d7c133fcd66b9237e9f83302020fbafea6bec09b0f1aa3451e8999763b7be

    SHA512

    abd4eb700d0b0e7ec668eaeb6cf0cb8dc4f0bce19a69048b23c53ad689126c520910ead99694a3387a1249a66b458b0a09b08e82d3a4cb715f6e519803d95e0b

    Download Submit
  • C:\Users\Admin\Desktop\UnblockConvert.asp
    Filesize

    1.3MB

    MD5

    785ce140bfc69fa59bd1a580e9f3cbfa

    SHA1

    a53d0004db72b44f1ad488da50eb13cb7fb1c4f4

    SHA256

    af92f71aa55997111a79b48fd015970a35e46e925c9065199902b53fe944f208

    SHA512

    7f83fc6d7d2fc49e792ccf992cd83156842d5a11e125c3f5351b7e831f300e072dd056e9b41357f915e79c972ef1a663e48498f441d348d9956db1bea4f8d0df

    Download Submit
  • C:\Users\Admin\Desktop\UseUninstall.ppsx
    Filesize

    625KB

    MD5

    b32c9698c72687bbf11cfa6ee1e1e2ae

    SHA1

    3057db07bf85731ce5d14caa7d73d2377f46e482

    SHA256

    cb3e162b1c8f1f00cc624f7848676d15fd6dd7d8964b909da80f3ad9e8bcbe04

    SHA512

    2b8ceacd5c3244cbccee2ff7f0177119da61cf5a335791e05f4c229172479756078771ca0cec31b142940ccf24c6cc8bead7ea78a07fa4ccee87116d2fa2754d

    Download Submit
  • C:\Users\Admin\Desktop\WatchDisable.vsdx
    Filesize

    455KB

    MD5

    c162d1dc325b8ad4773865a335518abe

    SHA1

    0c8b8db484185345ba15d10e098617c77e96dd9b

    SHA256

    be1aa3409471147ff5d985fe0b2b52869a508682fbfa8b660b87e779a03effc7

    SHA512

    c6023608338a601fca010fd7d58ebc01d82759bd7995f7d14ee83173db52cfd7f41be4377fa5c0135e900b5fdae48cbf492ade1ce89a2ebbcde04419a9bd311e

    Download Submit
  • C:\Windows\Dllhost.exe
    Filesize

    37KB

    MD5

    1f60289917bb553067c148fd238b24a5

    SHA1

    9540097003c4586b5e5de3103dd7a473b33398e9

    SHA256

    4c8b3ba90bc41a271d9c24139d39728c469112945f413fdc368338f39b7be356

    SHA512

    9f047b3be3c30924d688ed2160b8ec6c655dd6da579164e69368b754d607aa2ab4b432d3603e70af0dffe1ecf20be876d146b0f124998d88876b15ec54544118

    Download Submit
  • C:\Windows\Dllhost.exe
    Filesize

    37KB

    MD5

    1f60289917bb553067c148fd238b24a5

    SHA1

    9540097003c4586b5e5de3103dd7a473b33398e9

    SHA256

    4c8b3ba90bc41a271d9c24139d39728c469112945f413fdc368338f39b7be356

    SHA512

    9f047b3be3c30924d688ed2160b8ec6c655dd6da579164e69368b754d607aa2ab4b432d3603e70af0dffe1ecf20be876d146b0f124998d88876b15ec54544118

    Download Submit
  • memory/1764-69-0x00000000748C0000-0x0000000074E6B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1764-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1764-88-0x00000000748C0000-0x0000000074E6B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1764-92-0x00000000002F5000-0x0000000000306000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1976-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1976-70-0x00000000748C0000-0x0000000074E6B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1976-64-0x00000000748C0000-0x0000000074E6B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1976-54-0x00000000757C1000-0x00000000757C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-89-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-90-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2004-91-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2016-86-0x0000000000000000-mapping.dmp
    Download