Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2023 07:40

General

  • Target

    11374849012dfeed18493578007f0c53.exe

  • Size

    93KB

  • MD5

    11374849012dfeed18493578007f0c53

  • SHA1

    367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2

  • SHA256

    16607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063

  • SHA512

    46c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c

  • SSDEEP

    768:oY37yTnkpjTMpALPGMtsas88EtNXhU9f1mxCXxrjEtCdnl2pi1Rz4Rk3vsGdp0gM:Ly7kVbPGHz88EbE1pjEwzGi1dDbD0gS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

5.tcp.eu.ngrok.io:13940

Mutex

d31f5482257e7847270785c2b6a88c7b

Attributes
  • reg_key

    d31f5482257e7847270785c2b6a88c7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11374849012dfeed18493578007f0c53.exe
    "C:\Users\Admin\AppData\Local\Temp\11374849012dfeed18493578007f0c53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1712
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
        3⤵
        • Modifies Windows Firewall
        PID:3120
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    4B

    MD5

    4d853d9c7197ee7fa81c6535b1f7d655

    SHA1

    eac3d866e991967b385f3dd22da25e410d8f7f49

    SHA256

    5abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96

    SHA512

    dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7

  • C:\Users\Admin\AppData\Roaming\server.exe

    Filesize

    93KB

    MD5

    11374849012dfeed18493578007f0c53

    SHA1

    367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2

    SHA256

    16607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063

    SHA512

    46c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c

  • C:\Users\Admin\AppData\Roaming\server.exe

    Filesize

    93KB

    MD5

    11374849012dfeed18493578007f0c53

    SHA1

    367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2

    SHA256

    16607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063

    SHA512

    46c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c

  • C:\Users\Admin\AppData\Roaming\server.exe

    Filesize

    93KB

    MD5

    11374849012dfeed18493578007f0c53

    SHA1

    367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2

    SHA256

    16607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063

    SHA512

    46c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c

  • memory/1216-14-0x00000000751C0000-0x0000000075771000-memory.dmp

    Filesize

    5.7MB

  • memory/1216-1-0x00000000751C0000-0x0000000075771000-memory.dmp

    Filesize

    5.7MB

  • memory/1216-2-0x0000000001800000-0x0000000001810000-memory.dmp

    Filesize

    64KB

  • memory/1216-0-0x00000000751C0000-0x0000000075771000-memory.dmp

    Filesize

    5.7MB

  • memory/4996-13-0x00000000751C0000-0x0000000075771000-memory.dmp

    Filesize

    5.7MB

  • memory/4996-16-0x00000000751C0000-0x0000000075771000-memory.dmp

    Filesize

    5.7MB

  • memory/4996-15-0x0000000001150000-0x0000000001160000-memory.dmp

    Filesize

    64KB

  • memory/4996-47-0x0000000001150000-0x0000000001160000-memory.dmp

    Filesize

    64KB

  • memory/4996-48-0x00000000751C0000-0x0000000075771000-memory.dmp

    Filesize

    5.7MB