Overview

overview

10

Static

static

10

drweb.exe

windows7-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    29/06/2023, 21:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    drweb.exe

  • Size

    151KB

  • MD5

    db5fa6ff80870f8041e0b31b00c43575

  • SHA1

    aa22dd900a62ce990080bd848567ba8239c397dc

  • SHA256

    59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

  • SHA512

    92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

  • SSDEEP

    3072:0Oj3YL2p+yJgNAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:L3YLfOVdRQ/vqkg1gEagdgH

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

08022291fe871213f172041da3b6ef33

Attributes
  • reg_key

    08022291fe871213f172041da3b6ef33

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\drweb.exe
    "C:\Users\Admin\AppData\Local\Temp\drweb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe
      "C:\Users\Admin\AppData\Local\Temp\bootlog.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bootlog.exe" "bootlog.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2036
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:824
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x554
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1524

    Network

      No results found
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    • 127.0.0.1:5552
      bootlog.exe
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe
      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe
      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\bootlog.exe
      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

      Download Submit

    • memory/2028-54-0x0000000000470000-0x00000000004B0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2032-62-0x00000000001B0000-0x00000000001F0000-memory.dmp

      Filesize

      256KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.