Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
26/11/2022, 02:15
General
-
Target
0d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db.exe
-
Size
29KB
-
MD5
b45d75d086dbb65e165d71cd9cd618fb
-
SHA1
f3574c9a378dc415be784a09b9426207ed551365
-
SHA256
0d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db
-
SHA512
831a247480de5302174771bb6b80d6bdbba8e65a2371a1856f1ce49d6220ee4076958a2590b3825c174c6d1e29debcfdb5275b1a2adc09c01c3dc1ca66627f84
-
SSDEEP
384:aPqvANl7TxTD+VF2dbofPauxnaIuN15708COmqDk9jeHqGBsbh0w4wlAokw9OhgP:Ru75oa4fuTC8cqojeVBKh0p29SgRyu
Malware Config
Extracted
njrat
0.6.4
HacKed
nazeerkira99.no-ip.biz:1177
f9be75c5023d5e25b0bbaa6b68899d2b
-
reg_key
f9be75c5023d5e25b0bbaa6b68899d2b
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db.exe"C:\Users\Admin\AppData\Local\Temp\0d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\firefox.exe"C:\Users\Admin\AppData\Local\Temp\firefox.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\firefox.exe" "firefox.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5b45d75d086dbb65e165d71cd9cd618fb
SHA1f3574c9a378dc415be784a09b9426207ed551365
SHA2560d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db
SHA512831a247480de5302174771bb6b80d6bdbba8e65a2371a1856f1ce49d6220ee4076958a2590b3825c174c6d1e29debcfdb5275b1a2adc09c01c3dc1ca66627f84
-
Filesize
29KB
MD5b45d75d086dbb65e165d71cd9cd618fb
SHA1f3574c9a378dc415be784a09b9426207ed551365
SHA2560d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db
SHA512831a247480de5302174771bb6b80d6bdbba8e65a2371a1856f1ce49d6220ee4076958a2590b3825c174c6d1e29debcfdb5275b1a2adc09c01c3dc1ca66627f84
-
Filesize
29KB
MD5b45d75d086dbb65e165d71cd9cd618fb
SHA1f3574c9a378dc415be784a09b9426207ed551365
SHA2560d743c8de37fd9de973d2af81810435861c220725491215eaa75b368f116d8db
SHA512831a247480de5302174771bb6b80d6bdbba8e65a2371a1856f1ce49d6220ee4076958a2590b3825c174c6d1e29debcfdb5275b1a2adc09c01c3dc1ca66627f84
-
Filesize
8KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB