Overview

overview

10

Static

static

10

Downloads.rar

windows10-2004-x64

10

Resubmissions

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

24-07-2023 06:25

230724-g6s6laag35 10

22-07-2023 15:57

230722-tee6wabg5w 10

20-07-2023 23:19

230720-3bb5gsbf5v 10

20-07-2023 23:06

230720-23f23sba63 10

03-02-2021 11:43

210203-6bgge2nfan 10

22-11-2020 06:42

201122-6x1at779dj 10

Analysis

  • max time kernel
    90s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2023 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloads.rar

  • Size

    184.3MB

  • MD5

    9e3e4dd2eca465797c3a07c0fa2254fe

  • SHA1

    16ceee08c07179157b0fb6de04b7605360f34b20

  • SHA256

    f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

  • SHA512

    f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

  • SSDEEP

    3145728:6CNdBnKJ7rjucWU6bfga3QgbgShgbgSwSonIyRNlIyN+c3Os:t+sJb/3Q4h4wLIy/r91

Score
10/10
njrathackevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar
    1⤵
    • Modifies registry class
    PID:1868
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4440
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4840
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Downloads\" -ad -an -ai#7zMap28307:76:7zEvent2125
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1704
    • C:\Users\Admin\Desktop\Downloads\svchost.exe
      "C:\Users\Admin\Desktop\Downloads\svchost.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          3⤵
          • Modifies Windows Firewall
          PID:4416
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops startup file
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2548

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      31KB

      MD5

      49b8f905867aded45f1f5b3c9bd84209

      SHA1

      0a87788428778dba567623ccc9be6825eba4b7c7

      SHA256

      02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3

      SHA512

      1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      31KB

      MD5

      49b8f905867aded45f1f5b3c9bd84209

      SHA1

      0a87788428778dba567623ccc9be6825eba4b7c7

      SHA256

      02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3

      SHA512

      1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      31KB

      MD5

      49b8f905867aded45f1f5b3c9bd84209

      SHA1

      0a87788428778dba567623ccc9be6825eba4b7c7

      SHA256

      02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3

      SHA512

      1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361

      Download Submit
    • C:\Users\Admin\Desktop\Downloads\svchost.exe
      Filesize

      31KB

      MD5

      49b8f905867aded45f1f5b3c9bd84209

      SHA1

      0a87788428778dba567623ccc9be6825eba4b7c7

      SHA256

      02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3

      SHA512

      1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361

      Download Submit
    • C:\Users\Admin\Desktop\Downloads\svchost.exe
      Filesize

      31KB

      MD5

      49b8f905867aded45f1f5b3c9bd84209

      SHA1

      0a87788428778dba567623ccc9be6825eba4b7c7

      SHA256

      02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3

      SHA512

      1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361

      Download Submit
    • C:\Users\Admin\Desktop\New folder\Downloads\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
      Filesize

      13.4MB

      MD5

      48c356e14b98fb905a36164e28277ae5

      SHA1

      d7630bd683af02de03aebc8314862c512acd5656

      SHA256

      b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

      SHA512

      278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

      Download Submit
    • \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\6825da1e045502b22d4b02d4028214ab.exe
      Filesize

      31KB

      MD5

      49b8f905867aded45f1f5b3c9bd84209

      SHA1

      0a87788428778dba567623ccc9be6825eba4b7c7

      SHA256

      02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3

      SHA512

      1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361

      Download Submit
    • memory/1192-427-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1192-422-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1192-424-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2548-410-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-401-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-407-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-411-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-408-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-406-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-405-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-409-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-399-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2548-400-0x000001B55CEB0000-0x000001B55CEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4848-423-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4848-421-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4848-396-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4848-395-0x0000000075070000-0x0000000075621000-memory.dmp
      Filesize

      5.7MB

      Download