Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-11-2022 19:20
General
-
Target
7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe
-
Size
182KB
-
MD5
3f813aba1631a7a5ce2697b9929e459b
-
SHA1
6f866d5eb7b4e36a4c2854d2a16e70f2560791a2
-
SHA256
7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1
-
SHA512
46940c020a61d7bbe2455df6ecd5d5f112fd2ef476413c7d79223353b1d0b239223a7155956f5ae452d3285bc5ced6e8117c9c6334d6586a1b373ecb57d5c3b7
-
SSDEEP
3072:7hE1Mmq7x1+iNlp9EqxNZ32GhNvj43sJ/gTQcevUAKen:7i1MT7hp9E+J2GhNXBXMo
Malware Config
Extracted
njrat
v2.0
HacKedNJ
anunankis1.duckdns.org:1515
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe"C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe"C:\Users\Admin\AppData\Local\Temp\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10283⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7c0e2d228042abd250597fc95a5b2979cd72d93293bfbe29bb1de6d17fd145b1.exe.logFilesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
memory/1968-139-0x0000000000000000-mapping.dmp
-
memory/2132-133-0x0000000000000000-mapping.dmp
-
memory/2132-134-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2132-137-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/2132-138-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/2132-140-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4020-132-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4020-136-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB