Overview

overview

10

Static

static

10

0e503cb953...02.exe

windows7-x64

10

0e503cb953...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    218s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e503cb95361e59b9df503d31a2e8802.exe

  • Size

    26KB

  • MD5

    0e503cb95361e59b9df503d31a2e8802

  • SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

  • SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

  • SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

  • SSDEEP

    384:kLbe6lnw3m4Afp1UDMoCoP6udRNMpAQk93vmhm7UMKmIEecKdbXTzm9bVhcao631:ybeyBPqQpA/vMHTi9bD

Score
10/10
njrathackedpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

study-silly.at.ply.gg:42876

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe
    "C:\Users\Admin\AppData\Local\Temp\0e503cb95361e59b9df503d31a2e8802.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\LocalShell.bat
      "C:\Windows\LocalShell.bat"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • Drops startup file
        • Views/modifies file attributes
        PID:4712
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • Views/modifies file attributes
        PID:736
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Windows\LocalShell.bat"
      2⤵
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    5046027d76193c47eda704613363b0eb

    SHA1

    28c68cb8c0f41137f06c21de64edb17dfe932f66

    SHA256

    82c84773cea056f85ac4c36f99174a9f27d19cc1ff8cd01bd64b5c062a7a7150

    SHA512

    d996df4461ee3039b1344881fb606fb6f257f5b60b7d0c5917564ffc4dc80c0747f022195a12beb442d8da77aed44ec3c4e2016b7d8a791c821b0350c1d7c918

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1KB

    MD5

    c2029e31e25647730597ac950c8d6ae5

    SHA1

    02a4822c6621db10757690b91b31e489f372d462

    SHA256

    00cb0e919469efaf29695f0acac304bffc05b269c957f9baefb8e5dbddafef92

    SHA512

    10a57bd1f36a1c2d3e39a374f13e4e3ad26df448f24f5d1248e8bab267b8cb797fc03862e67fcfbcae5916b775b73be127b0e23cd8baeca3eb5850a9e7cc3121

    Download Submit
  • C:\Windows\LocalShell.bat
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • C:\Windows\LocalShell.bat
    Filesize

    26KB

    MD5

    0e503cb95361e59b9df503d31a2e8802

    SHA1

    1250284990eeb2290e19b6492a40be1a9e720e54

    SHA256

    58ac2495135149fb207fbab60f7bde30aa9873650da20f2a00c03391106656fe

    SHA512

    fbc969e45fbb9c9332ddff14cf453af4edd64810cd85c07b552fea7e59fe6c46ed19c6f59658acda129df329747f73ac053d687dc6262b4c00bcd14ee3b8ac1d

    Download Submit
  • memory/1440-133-0x0000000001450000-0x0000000001460000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1440-134-0x0000000001450000-0x0000000001460000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5008-147-0x0000000001200000-0x0000000001210000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5008-148-0x0000000001200000-0x0000000001210000-memory.dmp
    Filesize

    64KB

    Download