Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 09:40
General
-
Target
3019ff465d9d7c657aa4e111da5212ffefa360d50a4586274bd38e067c7211f8.exe
-
Size
23KB
-
MD5
ba92dad10756935c6ba911220142f649
-
SHA1
52179e698584dc1eac64a0932db3df602a75b22e
-
SHA256
3019ff465d9d7c657aa4e111da5212ffefa360d50a4586274bd38e067c7211f8
-
SHA512
9323e99c80a76cd209d987bcbe25750e9ded79a657701802713fd70101550d9e84886afb329e62f5499870dfd2cb158b9cd3111e8e59cf8685eb22c26bb399c3
-
SSDEEP
384:d53gexUw/L+JrgUon5b9uSDMwT9Pfg6NgrWoBYi51mRvR6JZlbw8hqIusZzZX2:dVIAKG91DP1hPRpcnu9
Malware Config
Extracted
njrat
0.7d
BDOCERT
oqbpregoqbpreg.ddns.net:5552
60bab2eed75ad3333f713f5b24bffad6
-
reg_key
60bab2eed75ad3333f713f5b24bffad6
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3019ff465d9d7c657aa4e111da5212ffefa360d50a4586274bd38e067c7211f8.exe"C:\Users\Admin\AppData\Local\Temp\3019ff465d9d7c657aa4e111da5212ffefa360d50a4586274bd38e067c7211f8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\iexplore.exe"C:\Users\Admin\AppData\Roaming\iexplore.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\iexplore.exe" "iexplore.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\iexplore.exeFilesize
23KB
MD5ba92dad10756935c6ba911220142f649
SHA152179e698584dc1eac64a0932db3df602a75b22e
SHA2563019ff465d9d7c657aa4e111da5212ffefa360d50a4586274bd38e067c7211f8
SHA5129323e99c80a76cd209d987bcbe25750e9ded79a657701802713fd70101550d9e84886afb329e62f5499870dfd2cb158b9cd3111e8e59cf8685eb22c26bb399c3
-
C:\Users\Admin\AppData\Roaming\iexplore.exeFilesize
23KB
MD5ba92dad10756935c6ba911220142f649
SHA152179e698584dc1eac64a0932db3df602a75b22e
SHA2563019ff465d9d7c657aa4e111da5212ffefa360d50a4586274bd38e067c7211f8
SHA5129323e99c80a76cd209d987bcbe25750e9ded79a657701802713fd70101550d9e84886afb329e62f5499870dfd2cb158b9cd3111e8e59cf8685eb22c26bb399c3
-
memory/2312-139-0x0000000000000000-mapping.dmp
-
memory/3028-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/3028-133-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/3028-138-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4984-134-0x0000000000000000-mapping.dmp
-
memory/4984-137-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4984-140-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB