Overview

overview

10

Static

static

Quotation ...48.exe

windows7-x64

10

Quotation ...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2022 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation List_0348.exe

  • Size

    6KB

  • MD5

    53e70bf3a2964e9c086d8ea3ac0daddf

  • SHA1

    82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

  • SHA256

    246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

  • SHA512

    74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

  • SSDEEP

    96:XVuqNek+1LnGPL5RT2SzLAEy/tnp347KVYzNt:wH1Lqh2SzLAEUNR4g6

Score
10/10
njratupdatepersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

update

C2

money2022.ddns.net:8080

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Roaming\update.exe
        "C:\Users\Admin\AppData\Roaming\update.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4812
        • C:\Users\Admin\AppData\Roaming\update.exe
          C:\Users\Admin\AppData\Roaming\update.exe
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
            5⤵
            • Drops startup file
            • Views/modifies file attributes
            PID:568
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
            5⤵
            • Views/modifies file attributes
            PID:2200
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"
        3⤵
        • Views/modifies file attributes
        PID:2776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation List_0348.exe.log
    Filesize

    1KB

    MD5

    026fb31495d30e5dbfd00f398c2efbf8

    SHA1

    9cda8f5f58129e4d592ca1b9867835c86f38ab1b

    SHA256

    b008f16eeae90b4c6ba119fb308616c0795cdaca51adf2b64470a0c01aeeb8b7

    SHA512

    6d1cc01c90613522cfb7be7ea67ff03732b367dfc7bfd245ad6d7ea8e5e5def431b3339d17893b7b193cee2c3b4c22a459acd3d852ee88fce711e30c5af195a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\update.exe.log
    Filesize

    1KB

    MD5

    026fb31495d30e5dbfd00f398c2efbf8

    SHA1

    9cda8f5f58129e4d592ca1b9867835c86f38ab1b

    SHA256

    b008f16eeae90b4c6ba119fb308616c0795cdaca51adf2b64470a0c01aeeb8b7

    SHA512

    6d1cc01c90613522cfb7be7ea67ff03732b367dfc7bfd245ad6d7ea8e5e5def431b3339d17893b7b193cee2c3b4c22a459acd3d852ee88fce711e30c5af195a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    7940c8b7f2df56a2cd862169a5564323

    SHA1

    545f8feef144704c6b9f9f97c1a726099a33c798

    SHA256

    6c04d1e7563e089e86fe559c172d2dc126d47670364d274fd2cba777a97d65a0

    SHA512

    b02cf4fdf05ceb3a3472a1cd71129e8df840570da386650ac8808015910d3834fbf9fe383c1c10ad571945858e4d93c250c03a10cd21ad2db46bc462d9b10207

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
    Filesize

    6KB

    MD5

    53e70bf3a2964e9c086d8ea3ac0daddf

    SHA1

    82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

    SHA256

    246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

    SHA512

    74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    c87a0c01932e2b874bc3b392253a663a

    SHA1

    51422af62636aaaedfccbe8e4f49ffc027a90989

    SHA256

    8a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c

    SHA512

    ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1KB

    MD5

    586210e5f1de944d08dd141fcadd408a

    SHA1

    0b539a283bfe6c23839a5c44f668af3ae205288d

    SHA256

    90a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742

    SHA512

    4a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\update.exe
    Filesize

    6KB

    MD5

    53e70bf3a2964e9c086d8ea3ac0daddf

    SHA1

    82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

    SHA256

    246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

    SHA512

    74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\update.exe
    Filesize

    6KB

    MD5

    53e70bf3a2964e9c086d8ea3ac0daddf

    SHA1

    82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

    SHA256

    246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

    SHA512

    74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\update.exe
    Filesize

    6KB

    MD5

    53e70bf3a2964e9c086d8ea3ac0daddf

    SHA1

    82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

    SHA256

    246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

    SHA512

    74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    Download Submit

  • memory/568-163-0x0000000000000000-mapping.dmp

    Download

  • memory/904-157-0x0000000000000000-mapping.dmp

    Download

  • memory/904-166-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2200-164-0x0000000000000000-mapping.dmp

    Download

  • memory/2448-148-0x0000000000000000-mapping.dmp

    Download

  • memory/2524-137-0x0000000002640000-0x0000000002676000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2524-142-0x0000000007460000-0x0000000007ADA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2524-141-0x0000000005C20000-0x0000000005C3E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2524-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2524-140-0x00000000054F0000-0x0000000005556000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2524-143-0x0000000006110000-0x000000000612A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2524-139-0x0000000004E00000-0x0000000004E66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2524-138-0x0000000004EC0000-0x00000000054E8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2776-151-0x0000000000000000-mapping.dmp

    Download

  • memory/3080-144-0x0000000000000000-mapping.dmp

    Download

  • memory/3080-145-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3080-147-0x0000000004C70000-0x0000000004D0C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4796-132-0x0000000000730000-0x0000000000738000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4796-135-0x0000000006E10000-0x0000000006E32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4796-134-0x0000000007390000-0x0000000007934000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4796-133-0x0000000006D40000-0x0000000006DD2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4812-152-0x0000000000000000-mapping.dmp

    Download