Analysis
-
max time kernel
178s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-11-2022 04:23
General
-
Target
9387753971c8b749b4edef686758f94018543fc84c65975eff71a5daefd98494.exe
-
Size
368KB
-
MD5
ad0fa345b71a76b8d15c94bec1a1f4f6
-
SHA1
f029a767679d8f203d3b631e79b9391a9d7c1879
-
SHA256
9387753971c8b749b4edef686758f94018543fc84c65975eff71a5daefd98494
-
SHA512
670aa1273c71e9fde7a5e8093d6e9c9dc743c5b87cf9cdeb31d30c9059e77511595abfe791d824eca1f012ad55ea08b3c4c518ee2ae92deaa22ac96480190f14
-
SSDEEP
3072:60py5k0ogEyQdvbj/AbOlm+Qm2Ij8uluvXLonyAKaLap2F3glH/EHnPBM3ZwCr2B:
Malware Config
Extracted
njrat
0.7d
HacKed
185.20.224.121:80
ab66a766385428849b68a77f294c8ace
-
reg_key
ab66a766385428849b68a77f294c8ace
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9387753971c8b749b4edef686758f94018543fc84c65975eff71a5daefd98494.exe"C:\Users\Admin\AppData\Local\Temp\9387753971c8b749b4edef686758f94018543fc84c65975eff71a5daefd98494.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5ad0fa345b71a76b8d15c94bec1a1f4f6
SHA1f029a767679d8f203d3b631e79b9391a9d7c1879
SHA2569387753971c8b749b4edef686758f94018543fc84c65975eff71a5daefd98494
SHA512670aa1273c71e9fde7a5e8093d6e9c9dc743c5b87cf9cdeb31d30c9059e77511595abfe791d824eca1f012ad55ea08b3c4c518ee2ae92deaa22ac96480190f14
-
Filesize
368KB
MD5ad0fa345b71a76b8d15c94bec1a1f4f6
SHA1f029a767679d8f203d3b631e79b9391a9d7c1879
SHA2569387753971c8b749b4edef686758f94018543fc84c65975eff71a5daefd98494
SHA512670aa1273c71e9fde7a5e8093d6e9c9dc743c5b87cf9cdeb31d30c9059e77511595abfe791d824eca1f012ad55ea08b3c4c518ee2ae92deaa22ac96480190f14
-
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB