Analysis
-
max time kernel
64s -
max time network
83s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
06-02-2023 16:39
General
-
Target
https://anonfiles.com/z5a70dWbye/Titanic_Executor_zip
Malware Config
Extracted
njrat
v4.0
HacKed
carolina-electro.at.ply.gg:23401
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Drops startup file 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/z5a70dWbye/Titanic_Executor_zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"2⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"2⤵
- Views/modifies file attributes
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83C70E8C88F4EDFCC5A1D8BB501E4F5FFilesize
503B
MD525d33dae751cbd07365603e16286611f
SHA1ad58f8b465b89966be060cd2a8535f5ce0489900
SHA25693a323259ec08332b80ea989e17eba54d9c5c38e854e2818a1bf465a456cff08
SHA5124e6b2e08d0ff35b313d56cb823b883a64df757592fdfe36a11ddf6c457fa36e81a32e5ba437e600275edf5a5d95acc6e16cf7849a86a3ddfe93b16ba500750cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ad5a7a4923a2e4c0276e9be46fa0748a
SHA1d143a6462d8a08bd5497af9d79c6c1e359301aa8
SHA25623ce85523b2723201e290ed8bc4213eedec3d2902be872547c88d35a7c3834d8
SHA512f36b430cb0c444710dd238ad15ebc4d3b2b03b1795cb9e589d3ee5abb26adb5cabd6cc10cf266fd78317e4847bf84266210f491c707e34c91e0d4bebe4c45148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83C70E8C88F4EDFCC5A1D8BB501E4F5FFilesize
548B
MD5032a89d5d83d509f82132f513dbbb5e4
SHA16557e0d5ac8fa2a5a5496f5566ff67ceb08ffd3b
SHA256b3116a33df25d0317060f52087bb583c58aab1c63c52e425d43d5314a753a655
SHA5125d529d96c935203f594b6d5444c8caa1f99cde1bf589978c103a826afbd4b347e8bad25fe2d36d34eb4a0fbaff4ee96b0caf528a32487f621ca85d1405df7cb3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O7WIOQDD.cookieFilesize
177B
MD5960e1cdfc075bd3b98cdd370e65bb467
SHA1a80b9e1116444ed143751d873e60f77333b75856
SHA25652c3e604c7004950385bb82fe76fdfd76903320a4e4d8f5aee130164d45594ef
SHA5126edfa6f27f23ce8293f7661f8a7d72c9046a93286a9d2d355b9e6033e2dfc4a042e31bda8a15fb455d70897d53a68c55469ffc3459f633e2c67fbcb5ea83275b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exeFilesize
291KB
MD58ee412a279732071df143f6dfcd8dea6
SHA1d8735c2f51f07e757418d27502538e53e3ac27db
SHA2569360faf46563cf7d32ef5aa31b6a8d3576542a228e715f1cd3e0bef3d035ece3
SHA512abb2d077682a73dd8c0d688804b9877d8496296e96b0a4c185993ce93a3c7b94f8bcc023625bb38410ef328d6df592a0e5a52992fb957efa6d214e8b829df370
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD55683a7a8fcaac04b8b42597584bed87d
SHA147107a8e4d2d7a669d0eba2650190009b09c16ec
SHA256cead8ed139fc8bffa18f4ab48f1c84875fae4e50e7bac632268b0eaadbc603a9
SHA512ee5ea6e46cde07da96ac8d1ec84d0a4aec733e14d21258e015fe1da7a8c7ed002dbd59b1793185b0d7a2c5590f6395e48af87f6543b9db8323793f599d4ced3a
-
C:\Users\Admin\Downloads\Titanic Executor.zip.agid3go.partialFilesize
1.3MB
MD5918d9674933083e7348bf79a8d575fee
SHA192f4d9257ea2f6a6fa5f643462b3918c7e8191e9
SHA2563fd118e603452a889b51b00e1f135ea21bd596a1e21c2265ed79660314322ae2
SHA512185700f891cf8785c2a9ecfadf755d73465cb305291b5b84883757872c20239a44ec126511413a38149d1585c43aa6f00064f0002f66dd752bcad9ed001190db
-
memory/2644-179-0x0000000000000000-mapping.dmp
-
memory/2644-190-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/2644-182-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/2644-186-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/2644-188-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/2644-184-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/3116-178-0x0000000000000000-mapping.dmp
-
memory/3116-180-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/3116-189-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/3116-181-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/3116-187-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/3116-185-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-153-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-162-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-135-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-136-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-137-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-138-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-139-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-140-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-141-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-142-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-143-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-144-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-145-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-147-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-146-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-148-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-149-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-150-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-151-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-152-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-133-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-154-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-155-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-156-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-157-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-158-0x0000000000F90000-0x0000000000FE0000-memory.dmpFilesize
320KB
-
memory/4204-159-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-160-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-161-0x00000000058E0000-0x000000000597C000-memory.dmpFilesize
624KB
-
memory/4204-134-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-163-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-165-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-164-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-166-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-168-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-167-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-169-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-170-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-171-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-172-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-173-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-174-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-132-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-131-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-130-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-129-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-128-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-175-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-176-0x0000000006590000-0x0000000006A8E000-memory.dmpFilesize
5.0MB
-
memory/4204-177-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-183-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-127-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-126-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-125-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-124-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-193-0x0000000006130000-0x00000000061C2000-memory.dmpFilesize
584KB
-
memory/4204-123-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB
-
memory/4204-204-0x00000000060C0000-0x00000000060CA000-memory.dmpFilesize
40KB
-
memory/4204-212-0x0000000006300000-0x0000000006366000-memory.dmpFilesize
408KB
-
memory/4204-122-0x0000000077290000-0x000000007741E000-memory.dmpFilesize
1.6MB