Overview

overview

10

Static

static

3

78dc792c0a...68.exe

windows7-x64

3

78dc792c0a...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2023 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78dc792c0a29bf15cdea3b97ff30b8c9741f14f4cac60ef302694addc919d268.exe

  • Size

    5KB

  • MD5

    a3ec2027f8d685fb7d65e879f7a1fb3c

  • SHA1

    de8b092a6c5344ecaa58f32f26470dc1f6816de6

  • SHA256

    78dc792c0a29bf15cdea3b97ff30b8c9741f14f4cac60ef302694addc919d268

  • SHA512

    0d1bfdf84b9ed23013d39ae2e7b98dcbc29eaf49e6efb6a7cf43087c4a5e714b0a2fad1013eacbd067a8347bfdd1df3908649b2eaa2b7ec57fddf1024959e4b2

  • SSDEEP

    48:61aZr5mf/241GpgU2tHBLEO11SNMzf+Gc+aMa9iMs+t4q34V/q54tM0lXiH/IFCH:rcgB2fLL+GrcTu5VLlK7zNt

Score
10/10
njratvictimevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

mYs7erY-22338.portmap.host:22338

Mutex

6286f06a10ca5fcb83180126dff9c67f

Attributes
  • reg_key

    6286f06a10ca5fcb83180126dff9c67f

  • splitter

    Y262SUCZ4UJJ

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Downloads MZ/PE file
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\78dc792c0a29bf15cdea3b97ff30b8c9741f14f4cac60ef302694addc919d268.exe
    "C:\Users\Admin\AppData\Local\Temp\78dc792c0a29bf15cdea3b97ff30b8c9741f14f4cac60ef302694addc919d268.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Users\Admin\AppData\Local\Temp\wr55pjzl.3hl.bat
      "C:\Users\Admin\AppData\Local\Temp\wr55pjzl.3hl.bat"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
          4⤵
          • Views/modifies file attributes
          PID:60
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Set-MpPreference -DisableRealtimeMonitoring $true
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c sc query windefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Windows\system32\sc.exe
            sc query windefend
            5⤵
            • Launches sc.exe
            PID:808
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c sc stop windefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\system32\sc.exe
            sc stop windefend
            5⤵
            • Launches sc.exe
            PID:392
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c sc delete windefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\system32\sc.exe
            sc delete windefend
            5⤵
            • Launches sc.exe
            PID:2176
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn CleanSweepCheck /f
          4⤵
            PID:1536
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe
            4⤵
            • Creates scheduled task(s)
            PID:4360
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1212

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Hidden Files and Directories

    1
    T1158

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Modify Registry

    1
    T1112

    Hidden Files and Directories

    1
    T1158

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\dllhost.exe.log
      Filesize

      319B

      MD5

      26ca4897aad21f536806c5e7925976e7

      SHA1

      f072e5b6bfd7ce28dbb16f162d9a4e05690fcbd8

      SHA256

      1c5b33fb22baaa5f9f1400e86f650aa4694387cdfa4835d3f60bebf203a491fd

      SHA512

      0f16a7f7fb34550bd91f042b2005cdc4233ca3e4be650abb832ff2f253358d7aa5fde1de4e1d9fc9e6cf971f1ed343ae6b575988083d9c4e3c6af96bdfb5d5a1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ywlezh1.ibc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wr55pjzl.3hl.bat
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wr55pjzl.3hl.bat
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      Filesize

      32KB

      MD5

      22b6825f2e779a6a3b679dfdedc71f00

      SHA1

      06ec4fd5e1d5931070ec9404903abced2747124f

      SHA256

      daaf688745f8e4157d0c8f3850ef10f93ff09c11e2dad11f274bbe5bcbdb2bbc

      SHA512

      1b4288b7f1f4537c37ef7500c7057528d490e8b0f384ba32b76e57aed3e5e98501b19c77713bfb68481dcd7f98808a900dce93e4f62ff465741b117ad21c60b4

      Download Submit
    • memory/1212-186-0x00000000011C0000-0x00000000011D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1212-187-0x00000000013C0000-0x00000000013D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2204-168-0x0000019A36CB0000-0x0000019A36CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2204-166-0x0000019A1E700000-0x0000019A1E722000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2204-167-0x0000019A36CB0000-0x0000019A36CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2484-183-0x00000000010E0000-0x00000000010F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2484-184-0x000000001B430000-0x000000001B444000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2816-178-0x0000000001760000-0x0000000001770000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2816-177-0x0000000001410000-0x0000000001424000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3492-155-0x0000000000EE0000-0x0000000000EF4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3492-173-0x000000001BC50000-0x000000001BC58000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3492-174-0x0000000000F30000-0x0000000000F40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3492-175-0x0000000000F30000-0x0000000000F40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3492-156-0x0000000000F30000-0x0000000000F40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3492-172-0x000000001C4F0000-0x000000001C58C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3492-180-0x0000000000F30000-0x0000000000F40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3724-133-0x0000000000EE0000-0x0000000000EE8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3724-134-0x00000000058B0000-0x00000000058C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4316-145-0x0000000000D20000-0x0000000000D30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4316-144-0x000000001C030000-0x000000001C0D6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/4316-143-0x0000000001080000-0x0000000001094000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4316-142-0x000000001BA80000-0x000000001BF4E000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4316-141-0x00000000007D0000-0x00000000007D8000-memory.dmp
      Filesize

      32KB

      Download