Overview

overview

10

Static

static

10

Server.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-02-2023 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    37KB

  • MD5

    77a061d54196511fb985ad08f61b4681

  • SHA1

    e783b16bf42144aac4acf441fce87415e0dca275

  • SHA256

    02175550330b76de111ae886a542242298c5b50b26f5d49a520fbe1481e52aab

  • SHA512

    0292ebd71c561c6ad5ed841ba63e85b4606fd8c612eeb6d925a4e66933da19b3241569c3ce21b6451cf7eced02b0dea8e6893b2511ed041fdaf141052d9c3086

  • SSDEEP

    384:calayyaik9hkdTnNiybYT81PRsc4jWj7rAF+rMRTyN/0L+EcoinblneHQM3epzX6:NgyCxNxbYT81y1WHrM+rMRa8Nu4Bt

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

considered-arrest.at.ply.gg:19159

Mutex

8b1b4ed3028d60637b47ebe2ea5ce8d7

Attributes
  • reg_key

    8b1b4ed3028d60637b47ebe2ea5ce8d7

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" "Runtime Broker.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3480
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9381.tmp.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\SysWOW64\reg.exe
          REG add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:940
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4372
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri
    Filesize

    162KB

    MD5

    0d02b03a068d671348931cc20c048422

    SHA1

    67b6deacf1303acfcbab0b158157fdc03a02c8d5

    SHA256

    44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

    SHA512

    805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri
    Filesize

    2KB

    MD5

    a2942665b12ed000cd2ac95adef8e0cc

    SHA1

    ac194f8d30f659131d1c73af8d44e81eccab7fde

    SHA256

    bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

    SHA512

    4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp9381.tmp.bat
    Filesize

    109B

    MD5

    c8e1c290640046814ab4e6fd65eb372b

    SHA1

    ca18c9fb819873e0f60b978708bc50a47f81a0ae

    SHA256

    cb7f932b08cebf30383abbf8fdd4b2c47cbeb31f4876827bc24b0e0b4acdea53

    SHA512

    12a2f980af8b1a1c65f05d05dd8129281f1135d143cf0ab904a7ab09775532aafa48f9ed395de134c3fb4a621dee71ccf709af931806609905ecc2e51ec4d994

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
    Filesize

    37KB

    MD5

    77a061d54196511fb985ad08f61b4681

    SHA1

    e783b16bf42144aac4acf441fce87415e0dca275

    SHA256

    02175550330b76de111ae886a542242298c5b50b26f5d49a520fbe1481e52aab

    SHA512

    0292ebd71c561c6ad5ed841ba63e85b4606fd8c612eeb6d925a4e66933da19b3241569c3ce21b6451cf7eced02b0dea8e6893b2511ed041fdaf141052d9c3086

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
    Filesize

    37KB

    MD5

    77a061d54196511fb985ad08f61b4681

    SHA1

    e783b16bf42144aac4acf441fce87415e0dca275

    SHA256

    02175550330b76de111ae886a542242298c5b50b26f5d49a520fbe1481e52aab

    SHA512

    0292ebd71c561c6ad5ed841ba63e85b4606fd8c612eeb6d925a4e66933da19b3241569c3ce21b6451cf7eced02b0dea8e6893b2511ed041fdaf141052d9c3086

    Download Submit
  • memory/940-477-0x0000000000000000-mapping.dmp
    Download
  • memory/2740-154-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-127-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-124-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-156-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-126-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-157-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-128-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-129-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-130-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-131-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-132-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-133-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-134-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-135-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-136-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-137-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-138-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-139-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-140-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-141-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-142-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-143-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-144-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-145-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-146-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-147-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-148-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-149-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-150-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-152-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-151-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-153-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-116-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-155-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-125-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-158-0x0000000073330000-0x00000000738E0000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2740-123-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-159-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-160-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-161-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-162-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-163-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-164-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-165-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-166-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-167-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-168-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-169-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-170-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-117-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-118-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-122-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-119-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-120-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-121-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2740-177-0x0000000073330000-0x00000000738E0000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3480-220-0x0000000000000000-mapping.dmp
    Download
  • memory/4196-183-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-179-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-212-0x0000000073330000-0x00000000738E0000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4196-176-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-178-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-184-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-181-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-180-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-175-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-174-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4196-425-0x0000000073330000-0x00000000738E0000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4196-171-0x0000000000000000-mapping.dmp
    Download
  • memory/4196-173-0x0000000076FB0000-0x000000007713E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4764-463-0x0000000000000000-mapping.dmp
    Download