Analysis
-
max time kernel
359s -
max time network
361s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
26-11-2022 08:42
General
-
Target
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe
-
Size
23KB
-
MD5
b14754884befd3597f7975b9d9a5bc5b
-
SHA1
4d437d94a9c5c5e2a52aedb004970d4872c995f3
-
SHA256
4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
-
SHA512
2b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
SSDEEP
384:2weXCQIreJig/8Z7SS1fEBbng6ZgL2IBPZVmRvR6JZlbw8hqIusZzZrc:hLq411URpcnun
Malware Config
Extracted
njrat
0.7d
HacKed
abatata.ddns.net:5552
e7d031ada337226244d99c1bac494695
-
reg_key
e7d031ada337226244d99c1bac494695
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe"C:\Users\Admin\AppData\Local\Temp\4f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5b14754884befd3597f7975b9d9a5bc5b
SHA14d437d94a9c5c5e2a52aedb004970d4872c995f3
SHA2564f0c69afb14d1768b1c74555267239dbaebe00a48fd68c890f093444f4b6e41e
SHA5122b0ca7e45382db30c850f4cc84964979d6709a1cb86f4e2353b50721d49fcc93975c0bd7168dea2eab424a1d73a60a2b0b03eb1e17644447b41c4c8925398a78
-
memory/1980-132-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/1980-133-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/1980-137-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2296-140-0x0000000000000000-mapping.dmp
-
memory/3748-134-0x0000000000000000-mapping.dmp
-
memory/3748-138-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/3748-139-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB