Overview

overview

10

Static

static

b9816004cc...aa.exe

windows7-x64

10

b9816004cc...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe

  • Size

    289KB

  • MD5

    61515ba9633ff41d3fa44d5ff837c460

  • SHA1

    83623fc4699e3ea9b628d1f9a5f4cdd7426c36b8

  • SHA256

    b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa

  • SHA512

    234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f

  • SSDEEP

    3072:FB/o6kBWW71YYd9mE6qTW59cbX/lqmqb/9kdR4cBtVIzKkes5RPdmDwgd4Ujepq0:Y/BC5

Score
10/10
njrathackedtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HACKED

C2

hasniimed.no-ip.biz:1177

Mutex

9e07d5f15e8eb1f15f646580801c5439

Attributes
  • reg_key

    9e07d5f15e8eb1f15f646580801c5439

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
    "C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
      C:\Users\Admin\AppData\Local\Temp\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\hack.exe.exe
        "C:\Users\Admin\AppData\Local\Temp\hack.exe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3824
        • C:\Users\Admin\AppData\Local\Temp\hack.exe.exe
          C:\Users\Admin\AppData\Local\Temp\hack.exe.exe
          4⤵
            PID:4848

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa.exe.log
      Filesize

      418B

      MD5

      89c8a5340eb284f551067d44e27ae8dd

      SHA1

      d2431ae25a1ab67762a5125574f046f4c951d297

      SHA256

      73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

      SHA512

      b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hack.exe.exe
      Filesize

      289KB

      MD5

      61515ba9633ff41d3fa44d5ff837c460

      SHA1

      83623fc4699e3ea9b628d1f9a5f4cdd7426c36b8

      SHA256

      b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa

      SHA512

      234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hack.exe.exe
      Filesize

      289KB

      MD5

      61515ba9633ff41d3fa44d5ff837c460

      SHA1

      83623fc4699e3ea9b628d1f9a5f4cdd7426c36b8

      SHA256

      b9816004cc425eab5931e6c8cdf529925395cefe0ea70e012c14e15b87d8e4aa

      SHA512

      234438c585b175f5d743e30692888591ea3a1a5d2b59e1e75dd49fe44173656f1bddee85b31fa27dad95f541f958f0b2f89d36b74d63de88bc683f0d68126a1f

      Download Submit
    • memory/2812-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2812-138-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3824-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4828-132-0x0000000000050000-0x000000000009E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/4828-133-0x0000000004AF0000-0x0000000004B8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4828-134-0x0000000005140000-0x00000000056E4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4828-135-0x0000000004B90000-0x0000000004C22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4828-136-0x0000000002500000-0x000000000250A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4848-142-0x0000000000000000-mapping.dmp
      Download