Overview

overview

10

Static

static

b16945da30...78.exe

windows7-x64

10

b16945da30...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    199s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b16945da30d28760d111a30d1461fa4cb548d3febedd0447e82f2799b8912178.exe

  • Size

    868KB

  • MD5

    6344136916735c417ffd49606be4aea0

  • SHA1

    246bec05170515feaf08a88387beb78fe3d01df4

  • SHA256

    b16945da30d28760d111a30d1461fa4cb548d3febedd0447e82f2799b8912178

  • SHA512

    a9bce68c621d5f9affe355c2048cd4b48cc32fefc462aecae676e3ab4b3ea9fdc24f1f94400c8b4ea8a3d2f86e399916788a970ac23aa15b674236e5c26b4009

  • SSDEEP

    24576:c1NRQ0/S7A5SkvNYxllTRS/wibJ482oNrt27EF:c1NQMSdxNSlbN2M4C

Score
10/10
njrathackedtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

mosa15.zapto.org:15

Mutex

db202f2d0c993a02c48604d33df7e68f

Attributes
  • reg_key

    db202f2d0c993a02c48604d33df7e68f

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b16945da30d28760d111a30d1461fa4cb548d3febedd0447e82f2799b8912178.exe
    "C:\Users\Admin\AppData\Local\Temp\b16945da30d28760d111a30d1461fa4cb548d3febedd0447e82f2799b8912178.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\s.exe
      "C:\Users\Admin\AppData\Local\Temp\s.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /im SYNBOZ.EXE
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
      • C:\Windows\SYNBOZMAX\SYNBOZLIB.exe
        "C:\Windows\SYNBOZMAX\SYNBOZLIB.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Windows\SysWOW64\RunDll32.exe
          RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000
            5⤵
            • Modifies registry class
            PID:2652
    • C:\Users\Admin\AppData\Local\Temp\6.exe
      "C:\Users\Admin\AppData\Local\Temp\6.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\googlachorme.exe
        "C:\Users\Admin\AppData\Local\Temp\googlachorme.exe"
        3⤵
        • Executes dropped EXE
        PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6.exe
    Filesize

    29KB

    MD5

    e4cdddd6b316e2ea7ce8a492428f15c7

    SHA1

    344691143abde6eb48b688145abc2e768e5a3432

    SHA256

    797d02646aa5af694718f9485795fec23578089723c82c8745724edef7c5520c

    SHA512

    a603b7e614fe42ce84ae0ce8c2493e326f937d57df5d3bf824a75d47c50250206b202516755457a1ebf7be7fc844f7229dc773c09127f1b3ff0f0fdff5171aa0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6.exe
    Filesize

    29KB

    MD5

    e4cdddd6b316e2ea7ce8a492428f15c7

    SHA1

    344691143abde6eb48b688145abc2e768e5a3432

    SHA256

    797d02646aa5af694718f9485795fec23578089723c82c8745724edef7c5520c

    SHA512

    a603b7e614fe42ce84ae0ce8c2493e326f937d57df5d3bf824a75d47c50250206b202516755457a1ebf7be7fc844f7229dc773c09127f1b3ff0f0fdff5171aa0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\googlachorme.exe
    Filesize

    29KB

    MD5

    e4cdddd6b316e2ea7ce8a492428f15c7

    SHA1

    344691143abde6eb48b688145abc2e768e5a3432

    SHA256

    797d02646aa5af694718f9485795fec23578089723c82c8745724edef7c5520c

    SHA512

    a603b7e614fe42ce84ae0ce8c2493e326f937d57df5d3bf824a75d47c50250206b202516755457a1ebf7be7fc844f7229dc773c09127f1b3ff0f0fdff5171aa0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\googlachorme.exe
    Filesize

    29KB

    MD5

    e4cdddd6b316e2ea7ce8a492428f15c7

    SHA1

    344691143abde6eb48b688145abc2e768e5a3432

    SHA256

    797d02646aa5af694718f9485795fec23578089723c82c8745724edef7c5520c

    SHA512

    a603b7e614fe42ce84ae0ce8c2493e326f937d57df5d3bf824a75d47c50250206b202516755457a1ebf7be7fc844f7229dc773c09127f1b3ff0f0fdff5171aa0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\s.exe
    Filesize

    862KB

    MD5

    849b05a8a0f630bdab9a39223116eda1

    SHA1

    9acf4a1f3cb6035dba398f3ce88cd0922f5d7a32

    SHA256

    d0fed36c8db70c4849c6fe80e44742215104072315ddea41406fecdd744c8ed1

    SHA512

    5347a06d8ecf7b45be36ddf323f9e6ca52fa84f96dfed9d5b6670d0d4425aa0a5918365219c4d9aa5d85cb15b905f16185a3c08ba4f588f9ba266c8ff2d51ea0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\s.exe
    Filesize

    862KB

    MD5

    849b05a8a0f630bdab9a39223116eda1

    SHA1

    9acf4a1f3cb6035dba398f3ce88cd0922f5d7a32

    SHA256

    d0fed36c8db70c4849c6fe80e44742215104072315ddea41406fecdd744c8ed1

    SHA512

    5347a06d8ecf7b45be36ddf323f9e6ca52fa84f96dfed9d5b6670d0d4425aa0a5918365219c4d9aa5d85cb15b905f16185a3c08ba4f588f9ba266c8ff2d51ea0

    Download Submit
  • C:\Windows\SYNBOZMAX\SYNBOZLIB.exe
    Filesize

    532KB

    MD5

    8c4c16c0354b29a4c307dea498e93c7d

    SHA1

    fb77560fe6454f1b2e6ad37c77aae79aee997ecd

    SHA256

    81c4a2d44dc6ec5e53fb663b2edce35780084b170c67e8d46bee65e395b99c40

    SHA512

    59c49289333b9e2c8434e6ea39970896828d4f3826ab36f1214cfb7d32adcf146b62b502f5a7274aee0458f524c662ba6c63cbfb49cfc3fbe4bb7212a3ee9191

    Download Submit
  • C:\Windows\SYNBOZMAX\SYNBOZLIB.exe
    Filesize

    532KB

    MD5

    8c4c16c0354b29a4c307dea498e93c7d

    SHA1

    fb77560fe6454f1b2e6ad37c77aae79aee997ecd

    SHA256

    81c4a2d44dc6ec5e53fb663b2edce35780084b170c67e8d46bee65e395b99c40

    SHA512

    59c49289333b9e2c8434e6ea39970896828d4f3826ab36f1214cfb7d32adcf146b62b502f5a7274aee0458f524c662ba6c63cbfb49cfc3fbe4bb7212a3ee9191

    Download Submit
  • memory/1468-151-0x0000000000000000-mapping.dmp
    Download
  • memory/2556-138-0x0000000074D50000-0x0000000075301000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2556-143-0x0000000074D50000-0x0000000075301000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2556-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2652-152-0x0000000000000000-mapping.dmp
    Download
  • memory/3200-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3620-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3760-144-0x0000000074D50000-0x0000000075301000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3760-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3824-132-0x0000000000000000-mapping.dmp
    Download