Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 13:23

General

  • Target

    2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe

  • Size

    710KB

  • MD5

    1d1f0520530466ef7dfb1b7bfef3e589

  • SHA1

    41dc772cd170d40279ad7347837bf7a6ec2d3ee2

  • SHA256

    2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f

  • SHA512

    88ed865d725e6c436fd80a77f8bfcf108a77095f078c0b8f711b8de0782dacaecb5c727729d5e927b4433517516ef5c33927e2f11505931de49d59afe4dad840

  • SSDEEP

    12288:oH7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QuP2rX:obCj2sObHtqQ4Qu+z

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bot

C2

smuktnet.ddns.net:5552

Mutex

d5bf5ee18952025404f8d39dc09f66a5

Attributes
  • reg_key

    d5bf5ee18952025404f8d39dc09f66a5

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe
    "C:\Users\Admin\AppData\Local\Temp\2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1316
    • \??\c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
      "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Users\Admin\AppData\Local\Temp\windows.exe
        "C:\Users\Admin\AppData\Local\Temp\windows.exe"
        3⤵
        • Executes dropped EXE
        PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\windows.exe
    Filesize

    52KB

    MD5

    a64daca3cfbcd039df3ec29d3eddd001

    SHA1

    eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

    SHA256

    403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

    SHA512

    b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

  • C:\Users\Admin\AppData\Local\Temp\windows.exe
    Filesize

    52KB

    MD5

    a64daca3cfbcd039df3ec29d3eddd001

    SHA1

    eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

    SHA256

    403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

    SHA512

    b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

  • memory/2608-135-0x0000000000000000-mapping.dmp
  • memory/2608-139-0x0000000074EC0000-0x0000000075471000-memory.dmp
    Filesize

    5.7MB

  • memory/3344-132-0x0000000000000000-mapping.dmp
  • memory/3344-133-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

  • memory/3344-134-0x0000000074EC0000-0x0000000075471000-memory.dmp
    Filesize

    5.7MB

  • memory/3344-137-0x0000000074EC0000-0x0000000075471000-memory.dmp
    Filesize

    5.7MB