Analysis
-
max time kernel
110s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-10-2022 22:10
General
-
Target
9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exe
-
Size
699KB
-
MD5
5abd9a7429df3a6f3fab1c4da9740e2e
-
SHA1
b6c1833a87cc3f904bfe8356c677cd4f57b3aafd
-
SHA256
9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371
-
SHA512
7810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de
-
SSDEEP
12288:IhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a6AiDyc:wRmJkcoQricOIQxiZY1iaDiDyc
Malware Config
Extracted
njrat
0.6.4
Slaves1
zafarullah.zapto.org:1604
d2af1d61020cbaaa665444e49c2e50d8
-
reg_key
d2af1d61020cbaaa665444e49c2e50d8
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exe"C:\Users\Admin\AppData\Local\Temp\9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exe"C:\Users\Admin\AppData\Local\Temp\9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exeFilesize
699KB
MD55abd9a7429df3a6f3fab1c4da9740e2e
SHA1b6c1833a87cc3f904bfe8356c677cd4f57b3aafd
SHA2569753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371
SHA5127810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N37RYBP5.txtFilesize
598B
MD57f6a0f68ac52cba2f4ff3c06f1293be4
SHA1366a6208d03207542323cb86963dea726f48e48b
SHA256527397cce8588196cf61d76769bb15fc251b0841a094b52a1ee745ee0ba10389
SHA512e1d3fb3b52a7e6ef76a879712c4d611536c2067e97b341598f2c37fcf3490c450706a2866f5a13a607a988fb4ee422fc82b4b3ec7c270f1d67bfd3eb3bb5a5c2
-
\Users\Admin\AppData\Local\Temp\9753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371.exeFilesize
699KB
MD55abd9a7429df3a6f3fab1c4da9740e2e
SHA1b6c1833a87cc3f904bfe8356c677cd4f57b3aafd
SHA2569753221afc815352348934c615626463392b7bc6730bd4f2b53ad3d268532371
SHA5127810650ed0725d4f201d4864d21ee32d32b5a134af6d5653cee74c2af8e4ed8ec4bba4a83a633188b0ccf4176dead3874c7016cfe666431dc84e9cdb97c5b4de
-
memory/804-56-0x00000000000C0000-0x00000000000CE000-memory.dmpFilesize
56KB
-
memory/804-58-0x00000000000C0000-0x00000000000CE000-memory.dmpFilesize
56KB
-
memory/804-59-0x00000000000C8B0E-mapping.dmp
-
memory/804-62-0x00000000000C0000-0x00000000000CE000-memory.dmpFilesize
56KB
-
memory/804-64-0x00000000000C0000-0x00000000000CE000-memory.dmpFilesize
56KB
-
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB