Overview

overview

10

Static

static

7

d02e88a87f...8c.exe

windows7-x64

10

d02e88a87f...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe

  • Size

    240KB

  • MD5

    b30fee632f6b18eb2ff5a49a4e5d7883

  • SHA1

    550238b070088e906fa9ee2aa3477a1321498173

  • SHA256

    d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c

  • SHA512

    28aae9d2412729144d757a489807cb8761abe5f0a93dd43ac3c41d6e03e8c5d67208feebcd421663fc794a26612e2554ed0f53ed583c45b1501e4e0748e8c826

  • SSDEEP

    6144:de95/jDSDls2IN4vuSACO9yux887vyYlPEAOlfJO2EgFTuUB5aW:deyvKz92xhETUx

Score
10/10
njrathackedagilenetevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

279f6960ed84a752570aca7fb2dc1552

Attributes
  • reg_key

    279f6960ed84a752570aca7fb2dc1552

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe
    "C:\Users\Admin\AppData\Local\Temp\d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1500
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\صورة.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    23KB

    MD5

    b4ecb77429fd8fb0c2ad0b2e82b99a2a

    SHA1

    64c90eb7b4c8cf8585fee8950cf842a77546f561

    SHA256

    0be44ad34deda92d7ce2c7e0093c398606deec502327a9639cc7e574509677c0

    SHA512

    8333d34d6f9a3cce4fc6c265c5b2ed08839a4f3533b0fdb7fb46e735d64fc61278e226f1c5e67371b98f4b6fa48d33948dc3a04cd4bdee35d18fa4267bd455ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    23KB

    MD5

    b4ecb77429fd8fb0c2ad0b2e82b99a2a

    SHA1

    64c90eb7b4c8cf8585fee8950cf842a77546f561

    SHA256

    0be44ad34deda92d7ce2c7e0093c398606deec502327a9639cc7e574509677c0

    SHA512

    8333d34d6f9a3cce4fc6c265c5b2ed08839a4f3533b0fdb7fb46e735d64fc61278e226f1c5e67371b98f4b6fa48d33948dc3a04cd4bdee35d18fa4267bd455ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\صورة.gif
    Filesize

    59KB

    MD5

    741c4e52b72bf081956f2bad797af2b3

    SHA1

    f21726792e66c1b171e03b06fd3f6dcd2195bc28

    SHA256

    ba15f81908ea9cced0d302abbd863f2762dc000d192adcc2532a634c37a0570c

    SHA512

    48525d79274e84bdde118de182775624fcf6ea34b89dd612dfd990d5b4a5048d89f28daab8913afe42027423ed0616272f7ce5475c485318a3bfe05667a2a095

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9RRL1F63.txt
    Filesize

    535B

    MD5

    5cbd2af1e84f66f1585732ab24b3045d

    SHA1

    2046860e66b7c4618559ace46bd3caf667b4a1a7

    SHA256

    a05c0b16fda4c0b702af2267d4888780fa47fe5a6364a08948ab86701b1072fc

    SHA512

    41f8058c598d44302a64dbd85b04ed7ca52fbabfeba49c2bbfd4a4be187d9ed86a77344c6a390551ee39939ec5cc50bdac6612ec35d726538a6eafe5ac18a4ff

    Download Submit
  • memory/1500-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-54-0x0000000000250000-0x000000000025C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2028-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-58-0x0000000074B51000-0x0000000074B53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2028-60-0x00000000742A0000-0x000000007484B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2028-63-0x00000000742A0000-0x000000007484B000-memory.dmp
    Filesize

    5.7MB

    Download