Overview

overview

10

Static

static

1

902097F4EC...0B.exe

windows7-x64

10

902097F4EC...0B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe

  • Size

    726KB

  • MD5

    72c37e7b272b24d47d59d7b269e7a56e

  • SHA1

    b3d9fbc7bd64ead22b08429a6222f172ea288a88

  • SHA256

    902097f4ec380243ed8f72d31297f81c9e99495a66d0bfb550fcdc753b7590c4

  • SHA512

    0c0592b3aaceaf4df444bfaad8c356ac02b894df62c3acd5579a2e94d8dd41b314358c888ecc459139e137688df27d48e4632f92987129fc8dc1f4ac7f3e360e

  • SSDEEP

    12288:PToPWBv/cpGrU3ywnmKUxBxOC+kye9SI4zJEeG5KI2YtWyBAV:PTbBv5rUXmKoaC+fzGemKI2qc

Score
10/10
neshtanjrathackedevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

Ni50Y3AuZXUubmdyb2suaW8Strik:MTA3MTI=

Mutex

9dd06b690cd90c449e471e22f62d779d

Attributes
  • reg_key

    9dd06b690cd90c449e471e22f62d779d

  • splitter

    |'|'|

Signatures

  • Detect Neshta payload 10 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe
    "C:\Users\Admin\AppData\Local\Temp\902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\111.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
        Desktop.exe -p112233
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          "C:\Users\Admin\AppData\Local\Temp\Server.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system executable filetype association
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
            "C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of WriteProcessMemory
            PID:340
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe" "Server.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              PID:600
        • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
          "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:1444
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1524

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Modify Existing Service

    1
    T1031

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\111.bat
      Filesize

      37B

      MD5

      994e9a9fe5fa30692b87870dd13fc44e

      SHA1

      d7ddee92720ae22f292be010fb05e59084a0c7d0

      SHA256

      ead19bebff360ad750f7615c93d16d191b6ea841db1280e1063dbf1c37143462

      SHA512

      20d61c201e72d385db988debb023a03ed245dc75c9df019e8928dcfe6a1e052a4b837a50e9da62af802c82259dae1d28a9f2ffec23e344f9a648b0dc9da07e71

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\111.bat
      Filesize

      37B

      MD5

      994e9a9fe5fa30692b87870dd13fc44e

      SHA1

      d7ddee92720ae22f292be010fb05e59084a0c7d0

      SHA256

      ead19bebff360ad750f7615c93d16d191b6ea841db1280e1063dbf1c37143462

      SHA512

      20d61c201e72d385db988debb023a03ed245dc75c9df019e8928dcfe6a1e052a4b837a50e9da62af802c82259dae1d28a9f2ffec23e344f9a648b0dc9da07e71

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
      Filesize

      93KB

      MD5

      35211dce668b1a3f17aa7ff35d002954

      SHA1

      a0a67c344cae646e02aa152bc1f3ae50066ebe57

      SHA256

      60064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a

      SHA512

      9ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
      Filesize

      93KB

      MD5

      35211dce668b1a3f17aa7ff35d002954

      SHA1

      a0a67c344cae646e02aa152bc1f3ae50066ebe57

      SHA256

      60064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a

      SHA512

      9ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
      Filesize

      93KB

      MD5

      35211dce668b1a3f17aa7ff35d002954

      SHA1

      a0a67c344cae646e02aa152bc1f3ae50066ebe57

      SHA256

      60064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a

      SHA512

      9ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
      Filesize

      530KB

      MD5

      070ffb07fcc3bfacf5d10c1167c04ebd

      SHA1

      06409f442c336b7ff8f5f89d10dc004834e2b58d

      SHA256

      2a9ae2ae3629bebaa441c6cf63c34ed1a0c515bbcbf0051cc2d369d80d0656e4

      SHA512

      0f1cc0fd43ebd817632192b8265f1ec5d5bfa96833e239cb2f6475e371d09b72a8b971d0fecab81d96540ce1f11f0f0db8b5069ac335a09160383f8284380c6b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
      Filesize

      530KB

      MD5

      070ffb07fcc3bfacf5d10c1167c04ebd

      SHA1

      06409f442c336b7ff8f5f89d10dc004834e2b58d

      SHA256

      2a9ae2ae3629bebaa441c6cf63c34ed1a0c515bbcbf0051cc2d369d80d0656e4

      SHA512

      0f1cc0fd43ebd817632192b8265f1ec5d5bfa96833e239cb2f6475e371d09b72a8b971d0fecab81d96540ce1f11f0f0db8b5069ac335a09160383f8284380c6b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      191KB

      MD5

      cbf03e76dd374d72d6c9ebaa91fa57fd

      SHA1

      cfdcdb57f2b8c94e8b444ad27060ed9361274047

      SHA256

      f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554

      SHA512

      56e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      191KB

      MD5

      cbf03e76dd374d72d6c9ebaa91fa57fd

      SHA1

      cfdcdb57f2b8c94e8b444ad27060ed9361274047

      SHA256

      f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554

      SHA512

      56e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062

      Download Submit
    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.EXE
      Filesize

      93KB

      MD5

      35211dce668b1a3f17aa7ff35d002954

      SHA1

      a0a67c344cae646e02aa152bc1f3ae50066ebe57

      SHA256

      60064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a

      SHA512

      9ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\Server.exe
      Filesize

      93KB

      MD5

      35211dce668b1a3f17aa7ff35d002954

      SHA1

      a0a67c344cae646e02aa152bc1f3ae50066ebe57

      SHA256

      60064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a

      SHA512

      9ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\Server.exe
      Filesize

      93KB

      MD5

      35211dce668b1a3f17aa7ff35d002954

      SHA1

      a0a67c344cae646e02aa152bc1f3ae50066ebe57

      SHA256

      60064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a

      SHA512

      9ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Desktop.exe
      Filesize

      530KB

      MD5

      070ffb07fcc3bfacf5d10c1167c04ebd

      SHA1

      06409f442c336b7ff8f5f89d10dc004834e2b58d

      SHA256

      2a9ae2ae3629bebaa441c6cf63c34ed1a0c515bbcbf0051cc2d369d80d0656e4

      SHA512

      0f1cc0fd43ebd817632192b8265f1ec5d5bfa96833e239cb2f6475e371d09b72a8b971d0fecab81d96540ce1f11f0f0db8b5069ac335a09160383f8284380c6b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      133KB

      MD5

      44affd0d82f9b8ef809053dba991a14a

      SHA1

      e63398e4b374ffc20a0d3fea78dac657bd49f6de

      SHA256

      d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b

      SHA512

      703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      191KB

      MD5

      cbf03e76dd374d72d6c9ebaa91fa57fd

      SHA1

      cfdcdb57f2b8c94e8b444ad27060ed9361274047

      SHA256

      f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554

      SHA512

      56e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      191KB

      MD5

      cbf03e76dd374d72d6c9ebaa91fa57fd

      SHA1

      cfdcdb57f2b8c94e8b444ad27060ed9361274047

      SHA256

      f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554

      SHA512

      56e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      191KB

      MD5

      cbf03e76dd374d72d6c9ebaa91fa57fd

      SHA1

      cfdcdb57f2b8c94e8b444ad27060ed9361274047

      SHA256

      f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554

      SHA512

      56e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062

      Download Submit
    • memory/340-122-0x00000000002E0000-0x0000000000320000-memory.dmp
      Filesize

      256KB

      Download
    • memory/340-200-0x00000000002E0000-0x0000000000320000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1444-121-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1444-199-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1444-123-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1444-205-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1444-209-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1444-216-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1828-198-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1828-201-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1828-204-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download