Overview

overview

10

Static

static

10

706fd9eb22...02.exe

windows7-x64

10

706fd9eb22...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    706fd9eb22adac23c973248375c50a02.exe

  • Size

    27KB

  • MD5

    706fd9eb22adac23c973248375c50a02

  • SHA1

    a2eb4719961cebca7a1e0ede2397c7e11e91a068

  • SHA256

    3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f

  • SHA512

    1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf

  • SSDEEP

    384:hLOlYHHeIYTzJRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhca66Zr6s:B2ZxJm8VA/vMHTi9bD

Score
10/10
njrathackedpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

bob541882.e2.luyouxia.net:20192

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe
    "C:\Users\Admin\AppData\Local\Temp\706fd9eb22adac23c973248375c50a02.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Roaming\360.exe
      "C:\Users\Admin\AppData\Roaming\360.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3580
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\360.exe"
      2⤵
      • Views/modifies file attributes
      PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\360.exe
    Filesize

    27KB

    MD5

    706fd9eb22adac23c973248375c50a02

    SHA1

    a2eb4719961cebca7a1e0ede2397c7e11e91a068

    SHA256

    3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f

    SHA512

    1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\360.exe
    Filesize

    27KB

    MD5

    706fd9eb22adac23c973248375c50a02

    SHA1

    a2eb4719961cebca7a1e0ede2397c7e11e91a068

    SHA256

    3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f

    SHA512

    1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\360.exe
    Filesize

    27KB

    MD5

    706fd9eb22adac23c973248375c50a02

    SHA1

    a2eb4719961cebca7a1e0ede2397c7e11e91a068

    SHA256

    3d8b2bc3fdba588bad1e6ee74050de7a31e386088636bbedf72f2285d3dc819f

    SHA512

    1e513b057abcebd61a5c808f026afeb16119172d8cde4e04a6d79997baa295c941a8594d0c39f1817117bbb94dba9c36f5a4bd81e123ab9fd0527bd6fadc42bf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    78ae7480e93fe3c32ae353941737dbaa

    SHA1

    0735d4addb35f31cd4b17b83d3c97c4242542fa5

    SHA256

    f2991de24991c95528f1fe370b4c4ab9feda7cb7f715dd53199524d343983e80

    SHA512

    f8824bfe2648c9b30a582b0ae15b909b971ca908a34f1f4d1377bb2c472c15b691b2ed9e44b5f173097e0c049447602a2bef1f121d636da8b02e0d2370dd8aa8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1KB

    MD5

    5874d9f697c098614594ee1e941a9cf6

    SHA1

    dde965d64e459034618d501656cd95d6cc826d8e

    SHA256

    5ef31f2c5ef281421a392392c28fd08d9f5039d38b4183b905ac14ff421b7f86

    SHA512

    2e769f9b9f6a310efe10f2708521372b0783c0504b247b0da448c4e86c7e809a30aa614d9270b34a4c889f0fcf429e4eabe973e61b9b0987258b15127af9a719

    Download Submit
  • memory/632-133-0x0000000000EF0000-0x0000000000F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3580-145-0x0000000001170000-0x0000000001180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3580-151-0x0000000001170000-0x0000000001180000-memory.dmp
    Filesize

    64KB

    Download