Overview

overview

10

Static

static

310c021fb4...76.exe

windows7-x64

10

310c021fb4...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe

  • Size

    200KB

  • MD5

    66e84153d32a83fc6bddb60b67de2640

  • SHA1

    730408f28dc20362eb02f683a288ae853bfd8476

  • SHA256

    310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976

  • SHA512

    a00d96f90610c1376832518c11b9bc2a3e9a497be6a95342788b87a6731704605fdc3bfbc2b4b2e633d5798b0dd2efa6fe53578bec9576b2c6ab5ab7e98e7437

  • SSDEEP

    1536:WSotYbj6iGuhiHpabOU81c57KPCYYX5uAgqHFjdVlrO2FdvSKUxsy/bQ6Ar3:WSoabWWigOU8c7DZJrOodvTUxFVAr3

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

ba4c12bee3027d94da5c81db2d196bfd

Attributes
  • reg_key

    ba4c12bee3027d94da5c81db2d196bfd

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe
    "C:\Users\Admin\AppData\Local\Temp\310c021fb4f390cf764b379aca54d1c2f936ea1ec2347bc4ff60bc77e4cac976.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe
      "C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe" "Gerenciador De Audio Do Windows.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe
    Filesize

    29KB

    MD5

    c450ec14f481075219631a00657111a6

    SHA1

    c5238b0b790a4648db2c329362a26fb520d92f13

    SHA256

    a80722d4d3a83545e1b724c287f0be3d83196f17b884104d4cfcfb30a11d8499

    SHA512

    20652659c089e64b6e917a2960db8470988a3ffd87966338e7b4a2ccbbeca6fe2bce15a5f2a050429a3da8b1dbc6a389901fe4c96e00b74fc55f6a1e59d1864a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Gerenciador De Audio Do Windows.exe
    Filesize

    29KB

    MD5

    c450ec14f481075219631a00657111a6

    SHA1

    c5238b0b790a4648db2c329362a26fb520d92f13

    SHA256

    a80722d4d3a83545e1b724c287f0be3d83196f17b884104d4cfcfb30a11d8499

    SHA512

    20652659c089e64b6e917a2960db8470988a3ffd87966338e7b4a2ccbbeca6fe2bce15a5f2a050429a3da8b1dbc6a389901fe4c96e00b74fc55f6a1e59d1864a

    Download Submit
  • memory/1656-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2104-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2104-142-0x000000006F870000-0x000000006FE21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2104-143-0x000000006F870000-0x000000006FE21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4504-132-0x0000000000440000-0x0000000000458000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4504-133-0x00000000078B0000-0x0000000007E54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4504-134-0x00000000073A0000-0x0000000007432000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4504-135-0x0000000007440000-0x00000000074DC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4504-136-0x0000000007310000-0x000000000731A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4504-137-0x0000000007370000-0x0000000007392000-memory.dmp
    Filesize

    136KB

    Download