Overview

overview

10

Static

static

10

0e503cb953...02.exe

windows7-x64

10

0e503cb953...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e503cb95361e59b9df503d31a2e8802.exe

  • Size

    26KB

  • MD5

    0e503cb95361e59b9df503d31a2e8802

  • SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

  • SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

  • SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

  • SSDEEP

    384:kLbe6lnw3m4Afp1UDMoCoP6udRNMpAQk93vmhm7UMKmIEecKdbXTzm9bVhcao631:ybeyBPqQpA/vMHTi9bD

Score
10/10
njrathackedpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

study-silly.at.ply.gg:42876

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe
    "C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\LocalShell.bat
      "C:\Windows\LocalShell.bat"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • Drops startup file
        • Views/modifies file attributes
        PID:1516
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • Views/modifies file attributes
        PID:1624
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Windows\LocalShell.bat"
      2⤵
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    e65fcfde9b3bc26df7fea040f0443e77

    SHA1

    35f95a818bdd8833d75aeb0ee69aba096e5c4f37

    SHA256

    ea08f2a8c553a9d395c1602e82f51327aaa75bda04ae15b9205336b6e0666141

    SHA512

    a0f8ac5beaf4df5a14f504873cafcdde0c5a22bbe7ef33ee578872898b240d264386be272b4482cb07467179c4e41c7127530f433df5061d9057a3e15b6390ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1022B

    MD5

    ad77ced9f9000247debeb317a030a77a

    SHA1

    c3b1d64ce26eda5493d09021743a6d578059f6ce

    SHA256

    2dcd4b2a82dd20058495d1e74dc37cf2b78d511405e2b00deb7b2871a6d1e879

    SHA512

    88b51a01e08587a9a5320baf7ce28275de788fadf923761545d02e4ba37db730d889b7fc1bda17da984508cff415fdb245c83f4318671378ef318a3a1fd048ee

    Download Submit
  • C:\Windows\LocalShell.bat
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • C:\Windows\LocalShell.bat
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • C:\Windows\LocalShell.bat
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • memory/1052-56-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1052-57-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1096-70-0x0000000001FD0000-0x0000000002010000-memory.dmp
    Filesize

    256KB

    Download