Analysis

  • max time kernel
    156s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2022 21:56

General

  • Target

    afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe

  • Size

    32KB

  • MD5

    90f5a408048f5bd6803a98331cded120

  • SHA1

    a9ccc979131258242d80d3dbab2c41fb3d7511ed

  • SHA256

    afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5

  • SHA512

    45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3

  • SSDEEP

    768:UfLjXHlL0vNcof4t08X+dk4FglrAHhd0AQvxCx:UfH3lLY4L4kWnusx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

loaimajdi.no-ip.biz:5552

Mutex

10ce81ee12043fcd07c0abe92db49633

Attributes
  • reg_key

    10ce81ee12043fcd07c0abe92db49633

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe
    "C:\Users\Admin\AppData\Local\Temp\afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe
      "C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe" "internet downlood manger.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe
    Filesize

    32KB

    MD5

    90f5a408048f5bd6803a98331cded120

    SHA1

    a9ccc979131258242d80d3dbab2c41fb3d7511ed

    SHA256

    afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5

    SHA512

    45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3

  • C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe
    Filesize

    32KB

    MD5

    90f5a408048f5bd6803a98331cded120

    SHA1

    a9ccc979131258242d80d3dbab2c41fb3d7511ed

    SHA256

    afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5

    SHA512

    45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3

  • memory/1404-58-0x0000000000000000-mapping.dmp
  • memory/1404-61-0x0000000001320000-0x000000000132E000-memory.dmp
    Filesize

    56KB

  • memory/1412-54-0x0000000000D10000-0x0000000000D1E000-memory.dmp
    Filesize

    56KB

  • memory/1412-55-0x00000000003C0000-0x00000000003C8000-memory.dmp
    Filesize

    32KB

  • memory/1412-56-0x00000000003E0000-0x00000000003EC000-memory.dmp
    Filesize

    48KB

  • memory/1412-57-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp
    Filesize

    8KB

  • memory/2020-62-0x0000000000000000-mapping.dmp