Analysis

  • max time kernel
    210s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    29/06/2023, 21:30 UTC

General

  • Target

    drweb.exe

  • Size

    151KB

  • MD5

    db5fa6ff80870f8041e0b31b00c43575

  • SHA1

    aa22dd900a62ce990080bd848567ba8239c397dc

  • SHA256

    59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

  • SHA512

    92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

  • SSDEEP

    3072:0Oj3YL2p+yJgNAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:L3YLfOVdRQ/vqkg1gEagdgH

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

08022291fe871213f172041da3b6ef33

Attributes
  • reg_key

    08022291fe871213f172041da3b6ef33

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\drweb.exe
    "C:\Users\Admin\AppData\Local\Temp\drweb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe
      "C:\Users\Admin\AppData\Local\Temp\bootlog.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bootlog.exe" "bootlog.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2036
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:824
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x554
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1524

    Network

      No results found
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe

      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe

      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

    • \Users\Admin\AppData\Local\Temp\bootlog.exe

      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

    • memory/2028-54-0x0000000000470000-0x00000000004B0000-memory.dmp

      Filesize

      256KB

    • memory/2032-62-0x00000000001B0000-0x00000000001F0000-memory.dmp

      Filesize

      256KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.