Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
03-10-2022 00:30
General
-
Target
e9fcf30398488762d2a51dee752480e71b9ac9da5ab2f961ae9b0f2dc3b747d1.exe
-
Size
29KB
-
MD5
30c6d818e5ac01e4e9a998d7ec4ab5df
-
SHA1
5fed4519e25031b968eec619b761618d52bcd265
-
SHA256
e9fcf30398488762d2a51dee752480e71b9ac9da5ab2f961ae9b0f2dc3b747d1
-
SHA512
ea9c48c09bd8c668b038a9f4b6d94c50d661081bffee286b946a675135f5d5f2d6d18adb6321fd036b717331938ebc15602c587787f246ecf124be9a7492db05
-
SSDEEP
384:2xUHEBl7p3hUw2s7bD55gEKemqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZzCI:217bUw2C3kEcqNreHBKh0p29SgRzj
Malware Config
Extracted
njrat
0.6.4
HacKed
ahmed124.no-ip.biz:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9fcf30398488762d2a51dee752480e71b9ac9da5ab2f961ae9b0f2dc3b747d1.exe"C:\Users\Admin\AppData\Local\Temp\e9fcf30398488762d2a51dee752480e71b9ac9da5ab2f961ae9b0f2dc3b747d1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD530c6d818e5ac01e4e9a998d7ec4ab5df
SHA15fed4519e25031b968eec619b761618d52bcd265
SHA256e9fcf30398488762d2a51dee752480e71b9ac9da5ab2f961ae9b0f2dc3b747d1
SHA512ea9c48c09bd8c668b038a9f4b6d94c50d661081bffee286b946a675135f5d5f2d6d18adb6321fd036b717331938ebc15602c587787f246ecf124be9a7492db05
-
Filesize
29KB
MD530c6d818e5ac01e4e9a998d7ec4ab5df
SHA15fed4519e25031b968eec619b761618d52bcd265
SHA256e9fcf30398488762d2a51dee752480e71b9ac9da5ab2f961ae9b0f2dc3b747d1
SHA512ea9c48c09bd8c668b038a9f4b6d94c50d661081bffee286b946a675135f5d5f2d6d18adb6321fd036b717331938ebc15602c587787f246ecf124be9a7492db05
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-