Overview

overview

10

Static

static

5

4c91884307...7b.exe

windows7-x64

10

4c91884307...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 01:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b.exe

  • Size

    1.1MB

  • MD5

    6d614c1cc6113efb12d0d7eb0147db64

  • SHA1

    6e2ec4f4e73a358849c9b147428dbdb609d043f1

  • SHA256

    4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b

  • SHA512

    78158ab786852d597a084a5f55401ae087468ae02ae077d56593c68eb4f0464b2573ba1347c9c0cd7a58409194232d2eb12a446b72e53ff569251668d25de007

  • SSDEEP

    24576:Itb20pkaCqT5TBWgNQ7aGSbRNn0eeiN/P+U7F16A:RVg5tQ7aGocen+U35

Score
10/10
njratu0lf4óßgòinbmìnñõûãáíúòæéâgþevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

u0lf4ÓßgÒiNBMìNñõÛÃáÍÚÒæÉâgþ

C2

193.0.200.131:35689

Mutex

abde6d91c02e072e675204de91168fab

Attributes
  • reg_key

    abde6d91c02e072e675204de91168fab

  • splitter

    |'|'|

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocks application from running via registry modification 64 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Drops file in Drivers directory 13 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 16 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Views/modifies file attributes 1 TTPs 16 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b.exe
    "C:\Users\Admin\AppData\Local\Temp\4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exe
      C:\Users\Admin\AppData\Local\Temp/WINDOWS/TEMPARCHIVE/RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exe
      2⤵
      • Modifies WinLogon for persistence
      • Blocks application from running via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQoe.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\system32\cacls.exe
          cacls C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE /E /P everyone:n
          4⤵
            PID:1852
          • C:\Windows\system32\cacls.exe
            cacls C:\Users\Admin\AppData\Local\Temp\WINDOWS /E /P everyone:n
            4⤵
              PID:4484
            • C:\Windows\system32\cacls.exe
              cacls C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime /E /P everyone:n
              4⤵
                PID:364
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc\*.*"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3304
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3464
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3588
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4376
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4952
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4060
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4456
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:344
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
            C:\Users\Admin\AppData\Local\Temp/WINDOWS/TEMPARCHIVE/taskeng.exe
            2⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4764
            • C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe
              "C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe"
              3⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Checks computer location settings
              • Adds Run key to start application
              • Modifies Internet Explorer settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe
                "C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2032
                • C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe
                  C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4564
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe" "wksprt.exe" ENABLE
                    6⤵
                    • Modifies Windows Firewall
                    PID:5024
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v.bat" "
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4232
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc\*.*"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1392
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4220
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:112
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4848
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3732
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4184
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2876
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3696

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Hidden Files and Directories

        3
        T1158

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Hidden Files and Directories

        3
        T1158

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IyQoe.bat
          Filesize

          522B

          MD5

          254160d9b9287bff589b6246f99d8eec

          SHA1

          876310cdd302898f5c8f4041037f18bacf07bcbe

          SHA256

          16e99344bda2b1338204f4e89c3c6b6a8efbb168a76ed624cba9f4d1ad3fd9a4

          SHA512

          002d0415387e60b9ef11a6e95787f03ec34c571676d7e5cafd54b6352855ca24e9099d1faa970a5cabdaa1f26620676cbb56e028cfdc54045119e0535a70444a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\Cb8eU.vbs
          Filesize

          3KB

          MD5

          428fb44c6dd833202070f1f71a74bd39

          SHA1

          2126a9eba6097861dad42e836ecf5e90cc5b2fcf

          SHA256

          56ea1c1fb691c818a569a5ce7b2f8ccc7ba529bb52d7dbed2fddbab82aaab176

          SHA512

          bae170e2c83d397240b21832c7d7fe8c083dbb76357cc73e1f02194e2bd39b8dba68b46232d0221a6e61392d54ee550188b5ff58b2dfb1de3a41e52d10a5761e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exe
          Filesize

          113KB

          MD5

          bbca72e3a3096b322289adf9226411f7

          SHA1

          5a9395d35f73c261082486836bdfb4af6e4a7c06

          SHA256

          c09b77187f6c4dd2be355c3d96b89a6d2fc49646b3b067ef5748e2eadbf7206b

          SHA512

          f32b734432a40d7f4a24e47e6e7a21fc09b4dbb4a784ac8f015c7edea77f4b728c00fb62b102682001c7ced4f55c6fe943208f88c0471217ee82ea82ef1603a5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exe
          Filesize

          113KB

          MD5

          bbca72e3a3096b322289adf9226411f7

          SHA1

          5a9395d35f73c261082486836bdfb4af6e4a7c06

          SHA256

          c09b77187f6c4dd2be355c3d96b89a6d2fc49646b3b067ef5748e2eadbf7206b

          SHA512

          f32b734432a40d7f4a24e47e6e7a21fc09b4dbb4a784ac8f015c7edea77f4b728c00fb62b102682001c7ced4f55c6fe943208f88c0471217ee82ea82ef1603a5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
          Filesize

          29KB

          MD5

          52944262c2ba7f1b50a054c0c1f9a88d

          SHA1

          c6f9d258438f247c0d14ad9f60e0b01347bcbfcc

          SHA256

          4fc8a9aff00714d712171dd65a9c42382c6a02cd3f55e98a7e469b0a46d657c9

          SHA512

          880a98312a8f80c37b10baf61a97e04226ed1f007093f61b18daab61a9ed42f0a3f1af3ed1bb4159b5dfc1fad849c7500056642ec2e45af4fc486e46f079a972

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
          Filesize

          29KB

          MD5

          52944262c2ba7f1b50a054c0c1f9a88d

          SHA1

          c6f9d258438f247c0d14ad9f60e0b01347bcbfcc

          SHA256

          4fc8a9aff00714d712171dd65a9c42382c6a02cd3f55e98a7e469b0a46d657c9

          SHA512

          880a98312a8f80c37b10baf61a97e04226ed1f007093f61b18daab61a9ed42f0a3f1af3ed1bb4159b5dfc1fad849c7500056642ec2e45af4fc486e46f079a972

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\ucsvc.exe
          Filesize

          70KB

          MD5

          6b4f12869c822faff28fe9377531655b

          SHA1

          784fb31f33a92695e4dc6eefeaccc13086ae277f

          SHA256

          06688797d34750928fc847a12db9d2c747d97ea514b1f7d077d6620b160ac958

          SHA512

          5a65c6e30903790ed4c557ffa3ccae0c1a177b0a3b7cacade93faf84c8e7f20f410b5a710ebfd58e0e23e57addf9dc96391254db660f74618f7057204baafae3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
          Filesize

          220KB

          MD5

          1dae65aa91f64af004bfc75bafa18976

          SHA1

          f5b448b07029640a6bc600b154782eef13865d01

          SHA256

          33b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c

          SHA512

          eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
          Filesize

          220KB

          MD5

          1dae65aa91f64af004bfc75bafa18976

          SHA1

          f5b448b07029640a6bc600b154782eef13865d01

          SHA256

          33b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c

          SHA512

          eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
          Filesize

          220KB

          MD5

          1dae65aa91f64af004bfc75bafa18976

          SHA1

          f5b448b07029640a6bc600b154782eef13865d01

          SHA256

          33b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c

          SHA512

          eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\v.bat
          Filesize

          384B

          MD5

          2ec56e11d99afad1e6fba39be82df172

          SHA1

          8ace61da9bf03dfa3f05e4a2eee2311ade93040f

          SHA256

          fe08f1f73ef0636a84ff7b757a04f2f99c417b4c0d63d9da8952c4154830b929

          SHA512

          5fb85766c7ae10f5839fcdb02518caabb9cc44012ea8cc108c0c4ee78f0a04549cf4a2e0d33ce03a00748baa79f25f63e288513d869d967658fa222fbd11cc21

          Download Submit
        • C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe
          Filesize

          70KB

          MD5

          6b4f12869c822faff28fe9377531655b

          SHA1

          784fb31f33a92695e4dc6eefeaccc13086ae277f

          SHA256

          06688797d34750928fc847a12db9d2c747d97ea514b1f7d077d6620b160ac958

          SHA512

          5a65c6e30903790ed4c557ffa3ccae0c1a177b0a3b7cacade93faf84c8e7f20f410b5a710ebfd58e0e23e57addf9dc96391254db660f74618f7057204baafae3

          Download Submit
        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          01ae587c73cd331fd2da4caeca584612

          SHA1

          ee2f06eba879af91442b137c36861c131f9fbc26

          SHA256

          464da2c16792622be63fb6e5795853c24d84473080d7090948147dc1c1c27e68

          SHA512

          650e69fa28985a4fd79a530f4fd5f08ae0590160e9db25872f0d3ea50a612674c076090e9d1f8ec7335a2473fa51088577436a2ec8e702e9402f16d467fbb1e5

          Download Submit
        • memory/112-149-0x0000000000000000-mapping.dmp
          Download
        • memory/344-169-0x0000000000000000-mapping.dmp
          Download
        • memory/364-161-0x0000000000000000-mapping.dmp
          Download
        • memory/1392-146-0x0000000000000000-mapping.dmp
          Download
        • memory/1700-139-0x00007FFC5F6C0000-0x00007FFC600F6000-memory.dmp
          Filesize

          10.2MB

          Download
        • memory/1700-132-0x0000000000000000-mapping.dmp
          Download
        • memory/1852-159-0x0000000000000000-mapping.dmp
          Download
        • memory/2032-170-0x0000000000000000-mapping.dmp
          Download
        • memory/2032-172-0x0000000074AB0000-0x0000000075061000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2032-176-0x0000000074AB0000-0x0000000075061000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2056-144-0x00007FFC5F6C0000-0x00007FFC600F6000-memory.dmp
          Filesize

          10.2MB

          Download
        • memory/2056-141-0x0000000000000000-mapping.dmp
          Download
        • memory/2876-154-0x0000000000000000-mapping.dmp
          Download
        • memory/3304-162-0x0000000000000000-mapping.dmp
          Download
        • memory/3464-163-0x0000000000000000-mapping.dmp
          Download
        • memory/3588-164-0x0000000000000000-mapping.dmp
          Download
        • memory/3696-156-0x0000000000000000-mapping.dmp
          Download
        • memory/3732-152-0x0000000000000000-mapping.dmp
          Download
        • memory/4060-167-0x0000000000000000-mapping.dmp
          Download
        • memory/4184-153-0x0000000000000000-mapping.dmp
          Download
        • memory/4220-148-0x0000000000000000-mapping.dmp
          Download
        • memory/4232-143-0x0000000000000000-mapping.dmp
          Download
        • memory/4376-165-0x0000000000000000-mapping.dmp
          Download
        • memory/4456-168-0x0000000000000000-mapping.dmp
          Download
        • memory/4484-160-0x0000000000000000-mapping.dmp
          Download
        • memory/4564-179-0x0000000074AB0000-0x0000000075061000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/4564-177-0x0000000074AB0000-0x0000000075061000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/4564-173-0x0000000000000000-mapping.dmp
          Download
        • memory/4564-174-0x0000000000400000-0x000000000040C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/4764-138-0x00007FFC5F6C0000-0x00007FFC600F6000-memory.dmp
          Filesize

          10.2MB

          Download
        • memory/4764-134-0x0000000000000000-mapping.dmp
          Download
        • memory/4840-157-0x0000000000000000-mapping.dmp
          Download
        • memory/4848-151-0x0000000000000000-mapping.dmp
          Download
        • memory/4952-166-0x0000000000000000-mapping.dmp
          Download
        • memory/5024-178-0x0000000000000000-mapping.dmp
          Download