Analysis
-
max time kernel
151s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 21:10
General
-
Target
62c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4.exe
-
Size
29KB
-
MD5
b293c34c4df6b7567124976285d46765
-
SHA1
0d582233200777ddef915fc6247f3b80e96c83e2
-
SHA256
62c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4
-
SHA512
72f8903ee970b55332341a264097a4542fafd7ca59d82f4ad1f2ef15cd8010c469b2458aa59652b25a464f470cb1d713c2047e95c7d33a3dfc5394d3b0a693b4
-
SSDEEP
384:gx8EBl7Bvgk4Xe0exn5RhVNaemqDq9xrefTGBsbh0w4wlAokw9OhgOL1vYRGOZzu:gN7Kk4XePlFzsq+xre6BKh0p29SgRJo
Malware Config
Extracted
njrat
0.6.4
HacKed
kamaly.myq-see.com:1177
36d7a02fbca41f608c4baf27f6374668
-
reg_key
36d7a02fbca41f608c4baf27f6374668
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\62c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4.exe"C:\Users\Admin\AppData\Local\Temp\62c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\firefox.exe"C:\Users\Admin\AppData\Roaming\firefox.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\firefox.exe" "firefox.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5b293c34c4df6b7567124976285d46765
SHA10d582233200777ddef915fc6247f3b80e96c83e2
SHA25662c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4
SHA51272f8903ee970b55332341a264097a4542fafd7ca59d82f4ad1f2ef15cd8010c469b2458aa59652b25a464f470cb1d713c2047e95c7d33a3dfc5394d3b0a693b4
-
Filesize
29KB
MD5b293c34c4df6b7567124976285d46765
SHA10d582233200777ddef915fc6247f3b80e96c83e2
SHA25662c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4
SHA51272f8903ee970b55332341a264097a4542fafd7ca59d82f4ad1f2ef15cd8010c469b2458aa59652b25a464f470cb1d713c2047e95c7d33a3dfc5394d3b0a693b4
-
Filesize
29KB
MD5b293c34c4df6b7567124976285d46765
SHA10d582233200777ddef915fc6247f3b80e96c83e2
SHA25662c4df631a57d58d85da1ec220c415e0837882624455c8665dcf03b596d3aed4
SHA51272f8903ee970b55332341a264097a4542fafd7ca59d82f4ad1f2ef15cd8010c469b2458aa59652b25a464f470cb1d713c2047e95c7d33a3dfc5394d3b0a693b4
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
5.7MB