Overview

overview

10

Static

static

10

1196190fd6...9b.exe

windows7-x64

10

1196190fd6...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b.exe

  • Size

    29KB

  • MD5

    29866996e016e6f2f3c9cc814807b3a8

  • SHA1

    606306bae6a956be85c37a9ea22b2475abedb149

  • SHA256

    1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b

  • SHA512

    fd8c1d8b27952a26e34495ccc7da8be885405cd9caf69ba3be1ee5725325cc76869b3f33d47df593c99cb1dd0cfc5793907194b222a24138d9010de1b057c4f8

  • SSDEEP

    384:Ios5l7l7EMrof6oyh75NxrimmqDWD4IePUGBsbh0w4wlAokw9OhgOL1vYRGOZzdL:07GMroyn5prsq04IePBKh0p29SgRZ/

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

youssef-el.no-ip.org:5553

Mutex

23556fb1360f366337f97c924e76ead3

Attributes
  • reg_key

    23556fb1360f366337f97c924e76ead3

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b.exe
    "C:\Users\Admin\AppData\Local\Temp\1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    29KB

    MD5

    29866996e016e6f2f3c9cc814807b3a8

    SHA1

    606306bae6a956be85c37a9ea22b2475abedb149

    SHA256

    1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b

    SHA512

    fd8c1d8b27952a26e34495ccc7da8be885405cd9caf69ba3be1ee5725325cc76869b3f33d47df593c99cb1dd0cfc5793907194b222a24138d9010de1b057c4f8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    29KB

    MD5

    29866996e016e6f2f3c9cc814807b3a8

    SHA1

    606306bae6a956be85c37a9ea22b2475abedb149

    SHA256

    1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b

    SHA512

    fd8c1d8b27952a26e34495ccc7da8be885405cd9caf69ba3be1ee5725325cc76869b3f33d47df593c99cb1dd0cfc5793907194b222a24138d9010de1b057c4f8

    Download Submit

  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    29KB

    MD5

    29866996e016e6f2f3c9cc814807b3a8

    SHA1

    606306bae6a956be85c37a9ea22b2475abedb149

    SHA256

    1196190fd68b5e363107ec9f6bdb5a3859b6cd315f72392d64db552ead0fb89b

    SHA512

    fd8c1d8b27952a26e34495ccc7da8be885405cd9caf69ba3be1ee5725325cc76869b3f33d47df593c99cb1dd0cfc5793907194b222a24138d9010de1b057c4f8

    Download Submit

  • memory/1628-62-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1628-64-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1788-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1788-60-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

    Download