Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 08:42

General

  • Target

    f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe

  • Size

    23KB

  • MD5

    20919f85bf91c4683bd92871ecb89d2e

  • SHA1

    f03ca16c1e9cc3ee54ae874d05e3c69d36e978f3

  • SHA256

    f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e

  • SHA512

    bd167942f2a05a5ff8985ed3ae09723982ba60457e75cd8309bca6b9a736836baf3ed36378bebd1ced36988e1809334aa2c86b057bf10a8f6ec7dc953223d0dc

  • SSDEEP

    384:bluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZlkU:kOmhtIiRpcnuo

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

ms-punisher.no.-ip.org:5552

Mutex

b891e7c3d69da1f506442cc213b2a72b

Attributes
  • reg_key

    b891e7c3d69da1f506442cc213b2a72b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe
    "C:\Users\Admin\AppData\Local\Temp\f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    23KB

    MD5

    20919f85bf91c4683bd92871ecb89d2e

    SHA1

    f03ca16c1e9cc3ee54ae874d05e3c69d36e978f3

    SHA256

    f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e

    SHA512

    bd167942f2a05a5ff8985ed3ae09723982ba60457e75cd8309bca6b9a736836baf3ed36378bebd1ced36988e1809334aa2c86b057bf10a8f6ec7dc953223d0dc

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    23KB

    MD5

    20919f85bf91c4683bd92871ecb89d2e

    SHA1

    f03ca16c1e9cc3ee54ae874d05e3c69d36e978f3

    SHA256

    f02c84e2280759e7a2a5e707582611e1ea7b28597ebdfc39b0cb23363d00b09e

    SHA512

    bd167942f2a05a5ff8985ed3ae09723982ba60457e75cd8309bca6b9a736836baf3ed36378bebd1ced36988e1809334aa2c86b057bf10a8f6ec7dc953223d0dc

  • memory/1484-139-0x0000000000000000-mapping.dmp

  • memory/2472-132-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-133-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-138-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

  • memory/4904-134-0x0000000000000000-mapping.dmp

  • memory/4904-137-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

  • memory/4904-140-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB