Overview

overview

10

Static

static

7c0e2d2280...b1.exe

windows7-x64

10

7c0e2d2280...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe

  • Size

    182KB

  • MD5

    3f813aba1631a7a5ce2697b9929e459b

  • SHA1

    6f866d5eb7b4e36a4c2854d2a16e70f2560791a2

  • SHA256

    7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1

  • SHA512

    46940c020a61d7bbe2455df6ecd5d5f112fd2ef476413c7d79223353b1d0b239223a7155956f5ae452d3285bc5ced6e8117c9c6334d6586a1b373ecb57d5c3b7

  • SSDEEP

    3072:7hE1Mmq7x1+iNlp9EqxNZ32GhNvj43sJ/gTQcevUAKen:7i1MT7hp9E+J2GhNXBXMo

Score
10/10
njrathackednjtrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKedNJ

C2

anunankis1.duckdns.org:1515

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe
    "C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe
      "C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 740
        3⤵
          PID:1764

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1220-62-0x00000000004083AE-mapping.dmp
      Download
    • memory/1220-65-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1220-56-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1220-57-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1220-59-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1220-60-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1220-72-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1220-69-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1220-67-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1220-61-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1308-64-0x0000000074180000-0x000000007472B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1308-55-0x0000000074180000-0x000000007472B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1764-70-0x0000000000000000-mapping.dmp
      Download