Analysis

  • max time kernel
    175s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:48

General

  • Target

    8499fc86fd5a287da4f9cd0e555790750c57f6e34c1dca47e090e684f5409b1e.exe

  • Size

    29KB

  • MD5

    444ca0042e76c79b03e34d1a644ebb27

  • SHA1

    9703cacaec1a4aeb7305f879eb41faef6e04c336

  • SHA256

    8499fc86fd5a287da4f9cd0e555790750c57f6e34c1dca47e090e684f5409b1e

  • SHA512

    e3eb1beb39a1e491bf3355422f4507f7d65e536ad2c6ea03ac723e6cf61194def3e5bedda3c3828165b294eb92e0543865bf207fff8a9baf0978099ac4a11c9e

  • SSDEEP

    384:A+jNl7fFhYUEWntB5Pc36WmqDoRE8e/aGBsbh0w4wlAokw9OhgOL1vYRGOZzPZY/:P77YUEkXy3Mqw7edBKh0p29SgR50

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

danamuhammad12.no-ip.org:1177

Mutex

74d94d2bacd9d8a6b5e32bc0551a4a64

Attributes
  • reg_key

    74d94d2bacd9d8a6b5e32bc0551a4a64

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8499fc86fd5a287da4f9cd0e555790750c57f6e34c1dca47e090e684f5409b1e.exe
    "C:\Users\Admin\AppData\Local\Temp\8499fc86fd5a287da4f9cd0e555790750c57f6e34c1dca47e090e684f5409b1e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Roaming\No God But Allah.exe
      "C:\Users\Admin\AppData\Roaming\No God But Allah.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\No God But Allah.exe" "No God But Allah.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\No God But Allah.exe

    Filesize

    29KB

    MD5

    444ca0042e76c79b03e34d1a644ebb27

    SHA1

    9703cacaec1a4aeb7305f879eb41faef6e04c336

    SHA256

    8499fc86fd5a287da4f9cd0e555790750c57f6e34c1dca47e090e684f5409b1e

    SHA512

    e3eb1beb39a1e491bf3355422f4507f7d65e536ad2c6ea03ac723e6cf61194def3e5bedda3c3828165b294eb92e0543865bf207fff8a9baf0978099ac4a11c9e

  • C:\Users\Admin\AppData\Roaming\No God But Allah.exe

    Filesize

    29KB

    MD5

    444ca0042e76c79b03e34d1a644ebb27

    SHA1

    9703cacaec1a4aeb7305f879eb41faef6e04c336

    SHA256

    8499fc86fd5a287da4f9cd0e555790750c57f6e34c1dca47e090e684f5409b1e

    SHA512

    e3eb1beb39a1e491bf3355422f4507f7d65e536ad2c6ea03ac723e6cf61194def3e5bedda3c3828165b294eb92e0543865bf207fff8a9baf0978099ac4a11c9e

  • memory/1168-137-0x0000000000000000-mapping.dmp

  • memory/1796-133-0x0000000000000000-mapping.dmp

  • memory/1796-138-0x0000000074DF0000-0x00000000753A1000-memory.dmp

    Filesize

    5.7MB

  • memory/1796-139-0x0000000074DF0000-0x00000000753A1000-memory.dmp

    Filesize

    5.7MB

  • memory/4296-132-0x0000000074DF0000-0x00000000753A1000-memory.dmp

    Filesize

    5.7MB

  • memory/4296-136-0x0000000074DF0000-0x00000000753A1000-memory.dmp

    Filesize

    5.7MB