Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 15:49
General
-
Target
45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe
-
Size
532KB
-
MD5
0e96867b9627a91f834acad0e7b84e25
-
SHA1
f9840c3a06ae977817ce14c831afd7c4ba7fabab
-
SHA256
45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715
-
SHA512
966c3fb0cf56304d5919c894f5a8745156180fd82648b3241373918242791700cbca10f06d0cea49aaf386628a99f64c89df1db041677dc5134fdde17f29b1bd
-
SSDEEP
6144:g1vZOZy/rCdul/Iw3Vn9dX8lzEmJDl3roqm+kP7zMv893WfIQZKnFWH+Lfw0sh:PZkrCkl/Z9dA7loqcq08I8KFk/h
Malware Config
Extracted
njrat
0.7d
BILLY
withgod.hopper.pw:770
b84a37071759ef5cf75837e93f4b857b
-
reg_key
b84a37071759ef5cf75837e93f4b857b
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe"C:\Users\Admin\AppData\Local\Temp\45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mpack\1.exe"C:\Users\Admin\AppData\Roaming\mpack\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mpack\1.exe"C:\Users\Admin\AppData\Roaming\mpack\1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mpack\1.exe" "1.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5d4fa7bd15aecc2749c171f5d97426a41
SHA10bda5e4cbe7ecec339d411cc5705800ef2e5f181
SHA2564a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6
SHA512508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f
-
Filesize
288KB
MD5d4fa7bd15aecc2749c171f5d97426a41
SHA10bda5e4cbe7ecec339d411cc5705800ef2e5f181
SHA2564a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6
SHA512508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f
-
Filesize
288KB
MD5d4fa7bd15aecc2749c171f5d97426a41
SHA10bda5e4cbe7ecec339d411cc5705800ef2e5f181
SHA2564a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6
SHA512508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f
-
-
Filesize
40KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB