Overview

overview

10

Static

static

c16377a25b...bc.exe

windows7-x64

10

c16377a25b...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe

  • Size

    44KB

  • MD5

    d2b8a106c29dac903ad8ebeb5fc84f6f

  • SHA1

    5b4fe7cd5a6444eaee074d214cfd0ed712d46b3c

  • SHA256

    c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc

  • SHA512

    596ca15887de0cec578609bf966149057dceda5edf732cb9f788536c28a2130d757909e459f0f2f1d3160e632d6431bf5c7a41ee6a2dcbcb8b6bb7a755ffbb04

  • SSDEEP

    768:YHPOFt6gtzDFHZiS1v+yBzrBQJRriq+9Q:uWUylr1vh3BQJRez9Q

Score
10/10
njrathacker 8evasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HaCkEr 8

C2

xxx99.zapto.org:88

Mutex

a3d748392c83eb40cc2f4a5e2518c816

Attributes
  • reg_key

    a3d748392c83eb40cc2f4a5e2518c816

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
    "C:\Users\Admin\AppData\Local\Temp\c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
      "C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Users\Admin\AppData\Local\Temp\conhost.exe
        "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:3744

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
    Filesize

    23KB

    MD5

    036d59f26793710fd58dbd3e1bd36cf7

    SHA1

    a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

    SHA256

    6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

    SHA512

    3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
    Filesize

    23KB

    MD5

    036d59f26793710fd58dbd3e1bd36cf7

    SHA1

    a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

    SHA256

    6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

    SHA512

    3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    Filesize

    23KB

    MD5

    036d59f26793710fd58dbd3e1bd36cf7

    SHA1

    a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

    SHA256

    6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

    SHA512

    3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    Filesize

    23KB

    MD5

    036d59f26793710fd58dbd3e1bd36cf7

    SHA1

    a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

    SHA256

    6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

    SHA512

    3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

    Download Submit

  • memory/220-137-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/220-133-0x0000000000000000-mapping.dmp

    Download

  • memory/220-141-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2224-136-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2224-132-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3744-143-0x0000000000000000-mapping.dmp

    Download

  • memory/4188-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4188-142-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4188-144-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download