Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2023 17:07
Behavioral task
behavioral1
Sample
bMJj.exe
Resource
win7-20230220-en
General
-
Target
bMJj.exe
-
Size
78KB
-
MD5
d6b907a131586513531e26f54e424ef1
-
SHA1
dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae
-
SHA256
1edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995
-
SHA512
0af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff
-
SSDEEP
1536:h5B+r0dODplS5wpOk3JCK6pFoO/d6fOpd/9nEh9TG6JgR:YQwpOk5CK6gO/9ES6Jg
Malware Config
Extracted
njrat
0.7.3
Lime
ax4.duckdns.org:9966
Client.exe
-
reg_key
Client.exe
-
splitter
16426337
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bMJj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation bMJj.exe -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3896 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Client.exedescription pid process Token: SeDebugPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe Token: 33 3896 Client.exe Token: SeIncBasePriorityPrivilege 3896 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bMJj.exedescription pid process target process PID 3532 wrote to memory of 3896 3532 bMJj.exe Client.exe PID 3532 wrote to memory of 3896 3532 bMJj.exe Client.exe PID 3532 wrote to memory of 3896 3532 bMJj.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bMJj.exe"C:\Users\Admin\AppData\Local\Temp\bMJj.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
78KB
MD5d6b907a131586513531e26f54e424ef1
SHA1dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae
SHA2561edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995
SHA5120af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
78KB
MD5d6b907a131586513531e26f54e424ef1
SHA1dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae
SHA2561edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995
SHA5120af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
78KB
MD5d6b907a131586513531e26f54e424ef1
SHA1dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae
SHA2561edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995
SHA5120af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff
-
memory/3532-133-0x0000000000780000-0x0000000000790000-memory.dmpFilesize
64KB
-
memory/3896-143-0x00000000015E0000-0x00000000015F0000-memory.dmpFilesize
64KB
-
memory/3896-144-0x00000000015E0000-0x00000000015F0000-memory.dmpFilesize
64KB
-
memory/3896-145-0x00000000015E0000-0x00000000015F0000-memory.dmpFilesize
64KB