Overview

overview

10

Static

static

10

424f837c55...6e.exe

windows7-x64

10

424f837c55...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2023, 01:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e.exe

  • Size

    23KB

  • MD5

    043e344c6cc9477cbcfc0a483b1ca568

  • SHA1

    52c4391b1a91c828823107cdf2db92e7142073d6

  • SHA256

    424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e

  • SHA512

    a705ac4259f754bea7ee73397fd1e1fc131c7d74065048020f520f63120ff1fee1355b6abfea645fd1b4d4aef8ab6da6ab0ad10346854d93463672e72ff032a5

  • SSDEEP

    384:LMK6b2GZsx/Yr1+liORH1kcPFQ6Lg9gSOYRr9mRvR6JZlbw8hqIusZzZWe:Eb9glF51LRpcnuq

Score
10/10
njratplug-inevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

plug-in

C2

0.tcp.ap.ngrok.io:10881

Mutex

6ca646ee7571a205268803e929e9d247

Attributes
  • reg_key

    6ca646ee7571a205268803e929e9d247

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e.exe
    "C:\Users\Admin\AppData\Local\Temp\424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:4748

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\svchost.exe
          Filesize

          23KB

          MD5

          043e344c6cc9477cbcfc0a483b1ca568

          SHA1

          52c4391b1a91c828823107cdf2db92e7142073d6

          SHA256

          424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e

          SHA512

          a705ac4259f754bea7ee73397fd1e1fc131c7d74065048020f520f63120ff1fee1355b6abfea645fd1b4d4aef8ab6da6ab0ad10346854d93463672e72ff032a5

          Download Submit

        • C:\Windows\svchost.exe
          Filesize

          23KB

          MD5

          043e344c6cc9477cbcfc0a483b1ca568

          SHA1

          52c4391b1a91c828823107cdf2db92e7142073d6

          SHA256

          424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e

          SHA512

          a705ac4259f754bea7ee73397fd1e1fc131c7d74065048020f520f63120ff1fee1355b6abfea645fd1b4d4aef8ab6da6ab0ad10346854d93463672e72ff032a5

          Download Submit

        • C:\Windows\svchost.exe
          Filesize

          23KB

          MD5

          043e344c6cc9477cbcfc0a483b1ca568

          SHA1

          52c4391b1a91c828823107cdf2db92e7142073d6

          SHA256

          424f837c55e7216646a63f6bbbbba766ed7521273ddfce6edad4b6335bf7a36e

          SHA512

          a705ac4259f754bea7ee73397fd1e1fc131c7d74065048020f520f63120ff1fee1355b6abfea645fd1b4d4aef8ab6da6ab0ad10346854d93463672e72ff032a5

          Download Submit

        • memory/3516-133-0x0000000001300000-0x0000000001310000-memory.dmp

          Filesize

          64KB

          Download