Overview

overview

10

Static

static

10

VXUHEUR-Tr...96.exe

windows7-x64

10

VXUHEUR-Tr...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2022 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe

  • Size

    111KB

  • MD5

    88e469aebd9529524d4420e3bf7d4964

  • SHA1

    d8e22b9746702e583b5307b1ed1ac2a0f250f31b

  • SHA256

    6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

  • SHA512

    5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

Score
10/10
njratvictimepersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Victime

C2

algiriano.ddns.net:6000

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
    "C:\Users\Admin\AppData\Local\Temp\VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • Views/modifies file attributes
        PID:1724
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • Views/modifies file attributes
        PID:1704
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"
      2⤵
      • Views/modifies file attributes
      PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
    Filesize

    111KB

    MD5

    88e469aebd9529524d4420e3bf7d4964

    SHA1

    d8e22b9746702e583b5307b1ed1ac2a0f250f31b

    SHA256

    6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

    SHA512

    5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
    Filesize

    111KB

    MD5

    88e469aebd9529524d4420e3bf7d4964

    SHA1

    d8e22b9746702e583b5307b1ed1ac2a0f250f31b

    SHA256

    6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

    SHA512

    5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    4bfb051a34131224e7b94030c98fea8d

    SHA1

    0c87ce198a8e04d2c76a01e629e7454baf51b688

    SHA256

    ad4e5f041a40d848d404850b08e5f282e66812a4151627a6429e52faa6599c35

    SHA512

    146f69a063f4be94e1b118534915ca92013384ccfc43c84522e6a755e6cd7b6795323b4ed0e7e243ab658e05e64edce5953e219bd9a64b936cf100ebe35fb28c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1022B

    MD5

    9b20f3e33f751c440eee66fdcdf8fd3a

    SHA1

    d0bf1457286e976c80244abb2a99524a07a90852

    SHA256

    443b3f231ede7b381ff9108cca8925fdd6d4b213535bc673611d927869633533

    SHA512

    1de6f5f6abf8f1b5f2b06d2e170d908bac547229d2a8711c3e08a8e61db7326d1259e4642d68ed9b8babbc0b6de371f5127d26d199ddf428ea9fa65fd2cfd445

    Download Submit
  • \Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
    Filesize

    111KB

    MD5

    88e469aebd9529524d4420e3bf7d4964

    SHA1

    d8e22b9746702e583b5307b1ed1ac2a0f250f31b

    SHA256

    6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

    SHA512

    5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

    Download Submit
  • memory/1196-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1196-62-0x0000000074E50000-0x00000000753FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1704-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-55-0x0000000074E50000-0x00000000753FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1808-54-0x0000000076051000-0x0000000076053000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1808-63-0x0000000074E50000-0x00000000753FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2040-60-0x0000000000000000-mapping.dmp
    Download